4.8
CVE-2025-6563
- EPSS 0.64%
- Veröffentlicht 03.07.2025 11:18:26
- Zuletzt bearbeitet 15.04.2026 00:35:42
- Quelle 1c6b5737-9389-4011-8117-89fa25
- CVE-Watchlists
- Unerledigt
Cross-site scripting via dst parameter in RouterOS WiFi hotspot
A cross-site scripting vulnerability is present in the hotspot of MikroTik's RouterOS on versions below 7.19.2. An attacker can inject the `javascript` protocol in the `dst` parameter. When the victim browses to the malicious URL and logs in, the XSS executes. The POST request used to login, can also be converted to a GET request, allowing an attacker to send a specifically crafted URL that automatically logs in the victim (into the attacker's account) and triggers the payload.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerMikroTik
≫
Produkt
RouterOS
Default Statusunaffected
Version
0
Version <
7.19.2
Status
affected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
Login| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.64% | 0.457 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| 1c6b5737-9389-4011-8117-89fa251edfb2 | 4.8 | 0 | 0 |
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
|
CWE-20 Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
https://www.toreon.com/how-a-ski-trip-led-to-a-cve-in-a-wi-fi-hotspot/