CVE-2024-28090 identifies a stored Cross-Site Scripting (XSS) vulnerability in Technicolor TC8715D and TC8717T routers, specifically in the dyn_dns.asp web interface page. The vulnerability arises because the User name parameter is not properly sanitized or encoded before being stored and rendered, allowing an attacker to inject malicious JavaScript code. When a legitimate user or administrator accesses the affected page, the injected script executes in their browser context, potentially leading to session hijacking, information disclosure, or manipulation of the device's web interface. The attack requires the attacker to be within Wi-Fi range of the device, as the vulnerability is exploitable remotely but only over the local wireless network. No authentication or user interaction is necessary for exploitation, increasing the risk of automated or stealthy attacks. The CVSS 3.1 base score of 5.4 reflects a medium severity, with an attack vector of adjacent network, low attack complexity, no privileges required, no user interaction, and limited confidentiality and availability impacts. While no known exploits have been reported in the wild and no patches are currently available, the vulnerability represents a significant risk for environments relying on these Technicolor devices, especially where Wi-Fi access is not tightly controlled. The CWE-79 classification confirms this as a classic stored XSS issue, a common web application security flaw that can lead to various client-side attacks.

The primary impact of this vulnerability is the potential execution of malicious scripts within the context of the affected device's web management interface. This can lead to unauthorized disclosure of sensitive information such as session tokens or configuration data, manipulation of device settings, or denial of service by disrupting the device's web interface availability. Since the attack vector is limited to Wi-Fi proximity, the threat is constrained to attackers physically near the target network, reducing the likelihood of widespread remote exploitation. However, in environments with poorly secured or open Wi-Fi networks, the risk increases significantly. Organizations relying on these Technicolor devices for critical network infrastructure may face service disruptions or compromise of network management capabilities. The lack of authentication requirement means any attacker within range can attempt exploitation without needing valid credentials, increasing the attack surface. Although no exploits are currently known in the wild, the vulnerability could be leveraged in targeted attacks against enterprises, service providers, or residential users using these devices. The impact on confidentiality is low to moderate, while availability impact is also present but limited. Integrity impact is minimal as the vulnerability does not directly allow modification of device firmware or core functions.

To mitigate CVE-2024-28090, organizations should first restrict Wi-Fi access to trusted users and devices by enforcing strong Wi-Fi encryption (WPA3 or WPA2 with strong passphrases) and network segmentation to isolate management interfaces from general user access. Disable or restrict remote management features on these devices if not required. Monitor network traffic for suspicious activity indicative of XSS exploitation attempts. Since no official patches are currently available, consider deploying web application firewalls (WAFs) or intrusion prevention systems (IPS) capable of detecting and blocking XSS payloads targeting the dyn_dns.asp page. Regularly check for firmware updates from Technicolor and apply them promptly once a patch addressing this vulnerability is released. Additionally, educate network administrators about the risks of stored XSS and encourage the use of secure configuration practices. If feasible, replace vulnerable devices with models that have robust input validation and security controls. Finally, conduct periodic security assessments and penetration testing focused on web interface vulnerabilities to detect similar issues proactively.