I. VULNERABILITY ------------------------- Stored XSS Vulnerability on TP-Link Archer VR300 v1 - firmware version: 1.3.0 0.8.0 v007b.1 build 180905 Rel.55344n II. CVE REFERENCE ------------------------- - III. VENDOR ------------------------- https://www.tp-link.com/ IV. TIMELINE ------------------------- 04/10/2018 Vulnerability discovered 05/10/2018 Vendor contacted no Response V. CREDIT ------------------------- Okan Coşkun from Biznet Bilisim A.S. Halil Arı From Biznet Bilisim A.S VI. DESCRIPTION ------------------------- Tp-Link Router interface is affected by stored XSS vulnerability. A remote attacker could steal victims cookie or redirect victim to malicious site. VII. PROOF OF CONCEPT ------------------------- Affected Component: VPN Name Path(inurl): /cgi?3 Affected parameter: connName On TP-Link Router Interface adding VPN configurations with malicious VPN Name could execute arbitrary javascript.