Description
webinc/js/info.php on D-Link DIR-816L 2.06.B09_BETA and DIR-803 1.04.B02 devices allows XSS via the HTTP Referer header. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: this is typically not exploitable because of URL encoding (except in Internet Explorer) and because a web page cannot specify that a client should make an additional HTTP request with an arbitrary Referer header
References (2)
Core 2
Core References
Vendor Advisory x_refsource_misc
https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10190
Exploit, Third Party Advisory x_refsource_misc
https://github.com/sek1th/iot/blob/master/DIR-816L_XSS.md
Scores
CVSS v3
6.1
EPSS
0.0068
EPSS Percentile
71.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (7)
dlink/dir-645_firmware
1.06b01
dlink/dir-803_firmware
1.04.b02
dlink/dir-815_firmware
2.07.b01
dlink/dir-816l_firmware
2.06
dlink/dir-816l_firmware
2.06.b09 beta
dlink/dir-860l_firmware
1.10b04
dlink/dir-865l_firmware
1.08b01
Published
Sep 19, 2020
Tracked Since
Feb 18, 2026