Discoverer

Team StellarFlare (Jeongwon Seok, Yeeun Lee, Haim Lee, Munju Lim, Minu Cho, Gyeongmin Hong)

Description

Trendnet TEW-929DRU devices contain a Stored Cross-site Scripting (XSS) vulnerability via the configname parameter on the /cbi_addcert.htm page.

Overview

• Product : TEW-929DRU
• Firmware Version : 1.0.0.10
• Manufacturer's website information
  • https://www.trendnet.com/home
• Firmware download address
  • https://www.trendnet.com/support/support-detail.asp?prod=135_TEW-929DRU

Vulnerability Information

In the settings under the "Management" page, there is an option called "Certificate Management". This section allows to create and import security certificates used for IPsec VPN and OpenVPN authentication.