Affects the latest versions of Mozilla & Chrome Web Browsers, Sunhillo Rici5k & Sureline
The most current versions of the Web Servers running on the Sunhillo devices are susceptible to Reflected XSS. The vulnerability lies within the userid_change parameter within /cgi/usrPasswd.cgi. This parameter is copied into the value of an HTML tag when the user attempts to their password using the "Forgot Password" functionality of the webserver.
An attacker can use this vulnerability to construct a request that if issued by another application user, will cause the malicious Javascript code to execute in the context of the user's browser session with the application.