Published on March 25th, 2021 📆 | 4677 Views ⚑0
Linksys EA7500 220.127.116.11281 – Cross-Site Scripting
# Exploit Title: Linksys EA7500 18.104.22.168281 - Cross-Site Scripting # Date: 3/24/21 # Exploit Author: MiningOmerta # Vendor Homepage: https://www.linksys.com/ # Version: EA7500 Firmware Version: 22.214.171.124281 # CVE: CVE-2012-6708 # Tested On: Linksys EA7500 (jQuery version 1.7.1) # Cross-Site Scripting Vulnerability on modern versions of Linksys Smart-Wifi home routers. # Caused by outdated jQuery(strInput) version : < = 1.7.1 (Fixed in version 1.9.0) # Credit also to Reddit user michael1026 ### POC ### 1. When logging into the router (http://LHOST or http://LHOST:10080), choose "Click Here" next to "Dont Have an Account? " or Choose "click here" after "To login with your Linksys Smart Wi-Fi account", you will be redirected with a login prompt with both Email Address and Password forms. 2. Make your email address "" without the double quotes. 3. Payload will be triggered when mouse is clicked anywhere within the Email Address form box or when form is submitted.