CellPipe Router XSS vulnerability

Device model : CellPipe 7130 RG 5Ae. M2013 HOL
*Software Version:* : *1.0.0.20h.HOL*
CVE: CVE-2015-4587
Date: 16/06/2015
Discovered by: DiLi


Vulnerability type: Stored XSS vulnerabilities in the router's web interface

Exploitation and Impact:

A cross site scripting vulnerability is shared among the router's
users. These can harm other users of the router. The malicious
javascript can be executed in the context
of an other user's browsers and allows several different attack
opportunities, mostly hijacking the
current session of the user. This happens because the user input is
interpreted as HTML/JavaScript by the browser.

For example at the "port triggering" menu at the "Custom application" field
we can add javascript like :
<script> alert(document.cookie)</script>