On July 18, the Cybersecurity Philippines CERT (CSP-Cert) vulnerability research team discovered a number of vulnerabilities in Lenovo Portable Router R2105, which has been discontinued since 2014 and is only available through third-party retailers.

The CSP-Cert team said in its blog post that the router, which runs on firmware version 1.0, “have fields that are vulnerable to cross-site scripting attacks (XSS).

According to Webopedia, “XSS is a security breach that takes advantage of dynamically generated web pages. In an XSS attack, a web application is sent with a script that activates when it is read by an unsuspecting user’s browser or by an application that has not protected itself against cross-site scripting. Because dynamic websites rely on user input, a malicious user can input malicious script into the page by hiding it within legitimate requests.”

If the vulnerability is exploited, the webpage will be able to process the arbitrary code to execute and even remote code execution could “happen via cross-site request forgery.”

The fields are not “sanitized,” to use the term by the researchers, and this flaw makes the vulnerability susceptible to run random web scripts that would lead to attacks. However, only a logged-in user could exploit the vulnerability, which makes this “low risk.”

The researchers disclosed the vulnerability seven days after it was detected.

CSP-Cert team further explained that because the router does not have CSRF (Cross-Site Request Forgery) protection, it can allow a “foreign reset request” when a user visits a malicious site that contains the request. XSS happens when the request is forwarded to the router “making code execution possible.”

The researchers quoted Lenovo acknowledging the vulnerability. Because the product has already been discontinued, users of the router cannot expect any fixes.

However, CSP-Cert offers the following suggestions to minimize the risk:

• Do not use the default credentials when using the router. Change the password upon usage.
• Every time the configuration is set, log out of the administrator web panel before visiting other websites. This ensures cross-site request forgery cannot happen.