This vulnerability allows remote attackers to insert persistent JavaScript on vulnerable installations of the Denon AVR-3313CI audio/video receiverβs web portal. Authentication is not required to persist the attack. However, user interaction is required to exploit this vulnerability in that the target must visit a malicious page. The specific flaw exists within parameters used by s_network.asp which does not properly sanitize user-supplied data. Some parameter values are used on multiple pages and the injected JavaScript will therefore run when any user views any of those pages, including the portalβs landing page.