Unauthenticated stored cross-site scripting (XSS) exists in multiple TP-Link products including WIFI Routers (Wireless AC routers), Access Points, ADSL + DSL Gateways and Routers, which affects TD-W9977v1, TL-WA801NDv5, TL-WA801Nv6, TL-WA802Nv5, and Archer C3150v2 devices through the improper validation of the hostname. Some of the pages including dhcp.htm, networkMap.htm, dhcpClient.htm, qsEdit.htm, and qsReview.htm and use this vulnerable hostname function (setDefaultHostname()) without sanitization.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
tp-link td-w9977_firmware v1_0.1.0_0.9.1_up_boot\\(161123\\)_2016-11-23_15.36.15 |
||
tp-link tl-wa801nd_firmware v5_us_0.9.1_3.16_up_boot\\[170905-rel56404\\] |
||
tp-link tl-wa801n_firmware v6_eu_0.9.1_3.16_up_boot\\[200116-rel61815\\] |
||
tp-link tl-wr802n_firmware v4_us_0.9.1_3.17_up_boot\\[200421-rel38950\\] |
||
tp-link archer-c3150_firmware v2_170926 |