On D-Link DIR-600M devices before C1_v3.05ENB01_beta_20170306, XSS was found in the form2userconfig.cgi username parameter.
d-link dir-600m_firmware fw3.05b01