CVE-2024-33111

MEDIUM

D-Link DIR-845L Firmware <= 1.01KRb03 - Cross-Site Scripting via bsc_sms_inbox.php

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-33111. PoCs published by FaLLenSKiLL1.

AI-analyzed exploit summary The repository contains a functional proof-of-concept for CVE-2024-33111, demonstrating a reflected XSS vulnerability in D-Link DIR-845L routers via the `Treturn` parameter in `/htdocs/webinc/js/bsc_sms_inbox.php`. The PoC includes a crafted URL that triggers the XSS payload.

Description

D-Link DIR-845L router <=v1.01KRb03 is vulnerable to Cross Site Scripting (XSS) via /htdocs/webinc/js/bsc_sms_inbox.php.

Exploits (1)

nomisec WORKING POC
by FaLLenSKiLL1 · poc
https://github.com/FaLLenSKiLL1/CVE-2024-33111

The repository contains a functional proof-of-concept for CVE-2024-33111, demonstrating a reflected XSS vulnerability in D-Link DIR-845L routers via the `Treturn` parameter in `/htdocs/webinc/js/bsc_sms_inbox.php`. The PoC includes a crafted URL that triggers the XSS payload.

Classification
Working Poc 95%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: D-Link DIR-845L routers version 1.01KRb03 and below
No auth needed
Prerequisites: Access to the vulnerable endpoint `/bsc_sms_inbox.php`
MITRE ATT&CK
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (1)

Core 1

Scores

CVSS v3 5.4
EPSS 0.0080
EPSS Percentile 52.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (1)
dlink/dir-845l_firmware < 1.01krb03
Published May 06, 2024
Tracked Since Feb 18, 2026