TP-Link Archer VR300 1 Cross Site Scripting

Credit: Okan Coskun
Risk: Low
Local: No
Remote: Yes

I. VULNERABILITY ------------------------- Stored XSS Vulnerability on TP-Link Archer VR300 v1 - firmware version: 1.3.0 0.8.0 v007b.1 build 180905 Rel.55344n II. CVE REFERENCE ------------------------- - III. VENDOR ------------------------- IV. TIMELINE ------------------------- 04/10/2018 Vulnerability discovered 05/10/2018 Vendor contacted no Response V. CREDIT ------------------------- Okan Coşkun from Biznet Bilisim A.S. Halil Arı From Biznet Bilisim A.S VI. DESCRIPTION ------------------------- Tp-Link Router interface is affected by stored XSS vulnerability. A remote attacker could steal victims cookie or redirect victim to malicious site. VII. PROOF OF CONCEPT ------------------------- Affected Component: VPN Name Path(inurl): /cgi?3 Affected parameter: connName On TP-Link Router Interface adding VPN configurations with malicious VPN Name could execute arbitrary javascript.

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020,


Back to Top