Cross site scripting

2021-03-2613:15:00

PRIOn knowledge base

www.prio-n.com

0.005 Low

EPSS

Percentile

77.3%

JSON

Unauthenticated stored cross-site scripting (XSS) exists in multiple TP-Link products including WIFI Routers (Wireless AC routers), Access Points, ADSL + DSL Gateways and Routers, which affects TD-W9977v1, TL-WA801NDv5, TL-WA801Nv6, TL-WA802Nv5, and Archer C3150v2 devices through the improper validation of the hostname. Some of the pages including dhcp.htm, networkMap.htm, dhcpClient.htm, qsEdit.htm, and qsReview.htm and use this vulnerable hostname function (setDefaultHostname()) without sanitization.

CPENameOperatorVersion
archer-c3150_firmwareeqv2-170926
td-w9977_firmwareeqv10.1.00.9.1upboot1611232016112315.36.15
tl-wa801n_firmwareeqv6eu0.9.13.16upboot[200116rel61815]
tl-wa801nd_firmwareeqv5us0.9.13.16upboot[170905rel56404]
tl-wr802n_firmwareeqv4us0.9.13.17upboot[200421rel38950]

Name	Operator	Version
archer-c3150_firmware	eq	v2-170926
td-w9977_firmware	eq	v10.1.00.9.1upboot1611232016112315.36.15
tl-wa801n_firmware	eq	v6eu0.9.13.16upboot[200116rel61815]
tl-wa801nd_firmware	eq	v5us0.9.13.16upboot[170905rel56404]
tl-wr802n_firmware	eq	v4us0.9.13.17upboot[200421rel38950]