VULHUB ™

### Stored Cross-Site Scripting (Authenticated) in SYROTECH SY-GOPON-1000-2WONU V2.1.7_X116 devices Syrotech is a company based on India, that manufactures compatible optical transceivers, GPON/EPON, networking switches, CATV equipment, FTTH passive products, testing equipment and accessories. More Info: <https://www.syrotech.com/About-us.html> The tested device was SYROTECH SY-GOPON-1000-2WONU V2.1.7_X116+...

### Stored Cross-Site Scripting (Authenticated) in SYROTECH SY-GOPON-1000-2WONU V2.1.7_X116 devices Syrotech is a company based on India, that manufactures compatible optical transceivers, GPON/EPON, networking switches, CATV equipment, FTTH passive products, testing equipment and accessories. More Info: <https://www.syrotech.com/About-us.html> The tested device was SYROTECH SY-GOPON-1000-2WONU V2.1.7_X116+  After logging in with the default credentials of **admin:admin** I've noticed that in the Security tab at the WAN ACL sub-menu is possible to inject arbitrary Javascript code in the URL field  After saving the URL automatically pops the alertbox  @xpl0ited1