CVE-2019-13374
MEDIUMD-Link Central WiFi Manager CWM-100 < 1.03R0100_BETA6 - Cross-Site Scripting via PayAction.class.php Passcode Parameter
Title source: llmDescription
A cross-site scripting (XSS) vulnerability in resource view in PayAction.class.php in D-Link Central WiFi Manager CWM(100) before v1.03R0100_BETA6 allows remote attackers to inject arbitrary web script or HTML via the index.php/Pay/passcodeAuth passcode parameter.
References (3)
Core 3
Core References
Various Sources x_refsource_misc
https://unh3x.github.io/2019/02/21/D-link-%28CWM-100%29-Multiple-Vulnerabilities/
Various Sources x_refsource_misc
https://github.com/unh3x/unh3x.github.io/blob/master/_posts/2019-02-21-D-link-%28CWM-100%29-Multiple-Vulnerabilities.md
Patch, Vendor Advisory x_refsource_confirm
https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10117
Scores
CVSS v3
6.1
EPSS
0.0020
EPSS Percentile
41.5%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (1)
dlink/central_wifimanager
1.03
Published
Jul 06, 2019
Tracked Since
Feb 18, 2026