Product:CF-WR623N (http://www.comfast.com.cn/index.php?m=content&c=index&a=show&catid=98&id=13)
Description: Malicious javascript can be triggered inside the SSID parameter on the CF-WR623N router
This one is fairly self explanatory, in the 3rd router setup step, you're allowed to configure the name of the SSID. Again, in the grand scheme of things, at the moment this is absolutely impact-less.
However, if they do patch then maybe you could make an overblown not realistic attack scenario leveraging this.
<img src=x onerror=prompt(1)>
SSID can only be 32 characters long. If you're a web skid like me you might be using XSS Hunter however, as you know, these payloads weren’t going to work. So instead I just created a short domain that forwarded to my XSS Hunter payload page. As seen below, this worked like a charm.
If you don't want to purchase a short, and typically expensive domain you can simply use the following as POC's which I think are more than illustrate the point. If you want some out-of-the-box somewhat impact-less short XSS payloads this is a good resource.
To illustrate this differently, I'll use tiny urls and if they get unpacked then it proves the vulnerability. In this case tiny.cc/1lnsuz is the minified URL that redirects to google.com. In theory, if I set my SSID to <embed src=//tiny.cc/1lnsuz which is 28 in length I should pop google.com.
Look what happens when I login to the router with this SSID.
It fetches the minified url which in turn gets google.com.