CVE-2025-25427

Опубликовано: 18 апр. 2025

Источник: nvd

CVSS3: 5.4

EPSS Низкий

Описание

A stored cross-site scripting (XSS) vulnerability in the upnp.htm page of the web Interface in TP-Link WR841N v14/v14.6/v14.8 <= Build 241230 Rel. 50788n allows remote attackers to inject arbitrary JavaScript code via the port mapping description. This leads to an execution of the JavaScript payload when the upnp page is loaded.

Ссылки

https://github.com/slin99/2025-25427
Exploit
Third Party Advisory
https://www.tp-link.com/us/support/download/tl-wr841n/#Firmware
Product
https://www.tp-link.com/us/support/faq/4415/
Vendor Advisory
https://github.com/slin99/2025-25427/blob/master/readme.md
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одновременно

cpe:2.3:o:tp-link:wr841n_firmware:*:*:*:*:*:*:*:*

Версия до 241230 (включая)

Одно из

cpe:2.3:h:tp-link:wr841n:14:*:*:*:*:*:*:*

cpe:2.3:h:tp-link:wr841n:14.6:*:*:*:*:*:*:*

cpe:2.3:h:tp-link:wr841n:14.8:*:*:*:*:*:*:*

EPSS

Процентиль: 34%

0.00138

Низкий

5.4 Medium

CVSS3

Дефекты

CWE-79

Связанные уязвимости

GHSA-fgvj-q3hx-cpwr

CVSS3: 5.4

github

10 месяцев назад

A Stored cross-site scripting (XSS) vulnerability in upnp page of the web Interface in TP-Link WR841N <=4.19 allows remote attackers to inject arbitrary JavaScript code via the port mapping description. This leads to an execution of the JavaScript payload when the upnp page is loaded.

BDU:2025-04721

CVSS3: 8.8

fstec

11 месяцев назад

Уязвимость функции doUpate веб-интерфейса микропрограммного обеспечения маршрутизатора TP-Link TL-WR841N, позволяющая нарушителю внедрить произвольный JavaScript-код