D-Link DIR-816L 2.x - Cross-Site Scripting (CVE-2020-15895)

D-Link DIR-816L devices 2.x before 1.10b04Beta02 contains a cross-site scripting vulnerability. In the file webinc/js/info.php, no output filtration is applied to the RESULT parameter before being printed on the webpage. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site, which can allow for theft of cookie-based authentication credentials and launch of other attacks.

D-Link DIR-816L系列2.x版本在1.10b04Beta02之前存在跨站脚本漏洞。在文件webinc/js/info.php中，未对RESULT参数进行输出过滤即在其网页上打印，攻击者可在此受影响网站的上下文中向无戒备用户的浏览器注入任意脚本，从而可能导致基于cookie的认证凭证被盗取，并可能引发其他攻击。