MikroTik RouterOS 6.36.2 Cross Site Scripting

Title: RouterOS v6.36.2 - Cross Site Scripting
Type: Local/Remote
Author: Nassim Asrir
Author Company: HenceForth
Risk: (3/5)
Release Date: 11.11.2016
 
Summary:

MikroTik RouterOS is the operating system of MikroTik RouterBOARD hardware. It can also be installed on a PC and will turn it into a router with all the necessary features - routing, firewall, 

bandwidth management, wireless access point, backhaul link, hotspot gateway, VPN server and more.
 
 
Vendor:

http://www.mikrotik.com/
 
Affected Version:

v6.36.2
 
Tested On:

Linux // Dist (Bugtraq 2)
 
Vendor Status:

I told them and i wait for the answer.
 
PoC:

-Using this Vulnerability we can inject a javascript code but to test this vulnerability you must to login in the router Configurations and when you login then you can test the XSS like this:

* http://routerip/webfig/#"><script>alert("XSSED By Nassim Asrir");</script>
 
Credits:

Vulnerability discovered by Nassim Asrir  - <wassline@gmail.com>