{"vuid":"VU#890999","idnumber":"890999","name":"Radware Alteon has a reflected XSS vulnerability that can execute JavaScript in the host browser","keywords":null,"overview":"### Overview\r\nRadware Alteon has a reflected Cross-Site Scripting (XSS) vulnerability in the parameter ReturnTo of the route /protected/login. This vulnerability allows an attacker to execute JavaScript in the host browser.\r\n\r\n### Description\r\n\r\n**CVE-2026-5754:** Reflected Cross-Site Scripting (XSS) vulnerability in Radware Alteon 34.5.4.0 vADC load-balancer allows an attacker to inject malicious scripts into the website, potentially leading to unauthorized actions, data theft, or other malicious activities.\r\n\r\nA reflected Cross-Site Scripting (XSS) vulnerability exists in the `ReturnTo` parameter of the `/protected/login` route in Radware Alteon version 34.5.4.0. The vulnerability arises from the lack of user input sanitization, allowing an attacker to inject malicious scripts. Specifically, when a user requests a resource that redirects to a Microsoft SAML login page, the load-balancer redirects the user to the login page with a `ReturnTo` parameter that fails to sanitize user input. An attacker can exploit this by injecting a malicious payload in the `ReturnTo` parameter, which will be executed in the victim's browser. \r\n\r\nAn example attack flow is below:\r\n\r\n1. Attacker creates link with XSS payload in `ReturnTo` parameter.\r\n2. Victim clicks malicious link, redirecting to login page.\r\n3. Load-balancer reflects malicious `ReturnTo` parameter, executing XSS payload.\r\n4. Attacker performs JavaScript code execution in the victim's browser.\r\n\r\n### Impact\r\nThe impact of this vulnerability is significant, as it allows an attacker to execute arbitrary JavaScript code in a victim’s browser. Doing so enables a range of harmful activities, including the following: stealing session cookies and sensitive data; performing unauthorized actions on behalf of the victim; tricking users into falling for phishing attacks; and damaging a website’s reputation and user trust.\r\n\r\n### Solution\r\nUnfortunately, we were unable to reach the vendor to coordinate this vulnerability. The vendor, Radware, has acknowledged the vulnerability in their customer portal and plans to patch it in the next version, 34.5.7.0. This version was expected to be released on March 31st, 2026, based upon the release notes, but it is unclear if this release occurred and included a fix. In the meantime, users are advised to take precautions to prevent exploitation, such as validating and encoding user input.\r\n\r\n### Acknowledgements\r\nThanks to the reporter, Loinaz Merino Cerrajeria, for bringing this vulnerability to our attention.This document was written by Timur Snoke.","clean_desc":null,"impact":null,"resolution":null,"workarounds":null,"sysaffected":null,"thanks":null,"author":null,"public":["added apostrophe and \"user\""],"cveids":["CVE-2026-5754"],"certadvisory":null,"uscerttechnicalalert":null,"datecreated":"2026-04-21T15:16:57.322231Z","publicdate":"2026-04-21T15:16:57.173408Z","datefirstpublished":"2026-04-21T15:16:57.335235Z","dateupdated":"2026-04-21T15:16:57.173404Z","revision":1,"vrda_d1_directreport":null,"vrda_d1_population":null,"vrda_d1_impact":null,"cam_widelyknown":null,"cam_exploitation":null,"cam_internetinfrastructure":null,"cam_population":null,"cam_impact":null,"cam_easeofexploitation":null,"cam_attackeraccessrequired":null,"cam_scorecurrent":null,"cam_scorecurrentwidelyknown":null,"cam_scorecurrentwidelyknownexploited":null,"ipprotocol":null,"cvss_accessvector":null,"cvss_accesscomplexity":null,"cvss_authentication":null,"cvss_confidentialityimpact":null,"cvss_integrityimpact":null,"cvss_availabilityimpact":null,"cvss_exploitablity":null,"cvss_remediationlevel":null,"cvss_reportconfidence":null,"cvss_collateraldamagepotential":null,"cvss_targetdistribution":null,"cvss_securityrequirementscr":null,"cvss_securityrequirementsir":null,"cvss_securityrequirementsar":null,"cvss_basescore":null,"cvss_basevector":null,"cvss_temporalscore":null,"cvss_environmentalscore":null,"cvss_environmentalvector":null,"metric":null,"vulnote":190}