CVE-2013-5223

What is the D-Link DSL-2760U?

The D-Link DSL-2760U is a DSL modem/router gateway device designed for residential and small business internet connections. Like most consumer and SOHO routers, it provides a web-based administration interface accessible from the local network (and sometimes the internet, if remote management is enabled) for configuring internet connection settings, wireless networks, and security parameters. Cross-site scripting vulnerabilities in router web interfaces are particularly damaging because they execute in the context of the router's privileged management page.

Overview

CVE-2013-5223 is a stored cross-site scripting vulnerability (CWE-79) in the D-Link DSL-2760U gateway's web administration interface. An authenticated attacker can inject malicious JavaScript into a configuration field that is later rendered back into the admin UI — when an administrator views the affected page, the stored script executes in their browser, potentially hijacking the admin session, reading configuration data, or making unauthorized changes to the router configuration.

Affected Versions

The D-Link DSL-2760U is a legacy product. Organizations should verify whether firmware updates are available for their specific hardware revision.

Technical Details

Cross-site scripting vulnerabilities in router web interfaces arise when user-supplied input is stored in device configuration (NVRAM or similar storage) and later output into HTML responses without proper encoding. In CVE-2013-5223, a configuration field in the DSL-2760U web UI accepts input that is not sanitized before storage or output — allowing an authenticated user to store JavaScript payloads in the router's configuration.

Stored XSS impact on router administration:

• The CVSS Scope: Changed metric reflects that the injected script executes in the browser context of an administrator visiting the affected admin page — a different security context than the attacker's
• An admin visiting the page with the injected script will have the script run with access to their admin session cookies
• The script can silently change router settings (DNS servers, port forwarding rules, firewall settings), exfiltrate credentials, or redirect the admin to a phishing page
• DNS hijacking through a compromised router is a particularly impactful attack — redirecting users to attacker-controlled IP addresses for banking or corporate services

Authentication requirement: The PR:L (low privileges) metric indicates that exploiting the stored XSS requires some form of authentication to the admin interface. However, SOHO routers frequently use default or weak credentials, making authenticated access easy to obtain in many deployments.

Discovery

Discovered through security research into D-Link DSL gateway firmware security and published in November 2013.

Exploitation Context

CISA confirmed exploitation in the wild. Router XSS vulnerabilities are exploited in campaigns that use compromised routers to redirect DNS queries or intercept web traffic. Consumer and SOHO routers are attractive targets because:

• They are rarely updated by users
• Default credentials are common
• They provide persistent network-level access that survives endpoint security tools
• Compromising the router affects all devices on the network without requiring individual device compromise

Remediation

1. Update DSL-2760U firmware to the latest available version from D-Link's support pages
2. Change the router's default administrator credentials to a strong, unique password immediately
3. Disable remote web management access if not explicitly needed — restrict the admin interface to the local LAN only
4. If the device is no longer receiving firmware updates (check D-Link's EoL product list), replace with a currently supported router that receives security patches
5. Implement network monitoring for unusual DNS query behavior — a compromised router may redirect queries to attacker-controlled resolvers