Discoverer

Team StellarFlare (Jeongwon Seok, Yeeun Lee, Haim Lee, Munju Lim, Minu Cho, Gyeongmin Hong)

Description

Trendnet TEW-929DRU devices contain a Stored Cross-site Scripting (XSS) vulnerability via the r_name variable inside the have_same_name function on the /addschedule.htm page.

Overview

• Product : TEW-929DRU
• Firmware Version : 1.0.0.10
• Manufacturer's website information
  • https://www.trendnet.com/home
• Firmware download address
  • https://www.trendnet.com/support/support-detail.asp?prod=135_TEW-929DRU

Vulnerability Information

In the settings under the "System" page, there is an option called "Schedule". This setting is used to manage schedule rules