CVE-2024-31975 is a stored cross-site scripting (XSS) vulnerability identified in EnGenius EWS356-Fit wireless access point devices running firmware versions through 1.1.30. The vulnerability arises because the device's web management interface insufficiently sanitizes the Wi-Fi SSID parameter, allowing an attacker to embed malicious JavaScript code within the SSID field. When a user with access to the device's management interface clicks the EDIT button corresponding to the malicious SSID, the embedded JavaScript executes in the context of the user's browser session. This stored XSS attack vector can be exploited remotely over the network without requiring physical access to the device, but it requires the attacker to have some level of privileges (PR:H) and user interaction (UI:R) to trigger the payload. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). The CVSS v3.1 base score is 4.8 (medium severity), reflecting network attack vector, low attack complexity, required privileges, and user interaction. The impact primarily affects confidentiality and integrity by potentially enabling session hijacking, credential theft, or further exploitation of the management interface. No patches or exploits are currently publicly available, but the vulnerability is published and should be addressed promptly.

The vulnerability allows an attacker to execute arbitrary JavaScript code within the management interface of EnGenius EWS356-Fit devices, potentially leading to session hijacking, theft of administrative credentials, or unauthorized changes to device configuration. This can compromise the confidentiality and integrity of the device and the network it manages. While availability is not directly impacted, successful exploitation could facilitate further attacks that degrade network operations. Organizations relying on these devices for wireless connectivity, especially in sensitive environments such as enterprise networks, government agencies, or critical infrastructure, face risks of unauthorized access and data breaches. The requirement for some privileges and user interaction limits the ease of exploitation but does not eliminate risk, particularly in environments where multiple users have management access or where attackers have already gained partial network access.

1. Restrict access to the device management interface to trusted networks and users only, using network segmentation and access control lists. 2. Enforce strong authentication and role-based access controls to limit privileges required to modify SSID settings. 3. Monitor device logs and network traffic for unusual SSID changes or management interface activity. 4. Educate users with management access to avoid clicking on suspicious SSID edit buttons or links. 5. Regularly check for firmware updates from EnGenius and apply patches promptly once available. 6. If possible, disable remote management features or restrict them to secure VPN connections. 7. Implement web application firewalls (WAFs) or intrusion prevention systems (IPS) that can detect and block XSS payloads targeting device interfaces. 8. Consider using network access control (NAC) to limit devices that can connect and interact with management interfaces.