A stored cross-site scripting (XSS) vulnerability in the upnp.htm page of the web Interface in TP-Link WR841N v14/v14.6/v14.8 <= Build 241230 Rel. 50788n allows remote attackers to inject arbitrary JavaScript code via the port mapping description. This leads to an execution of the JavaScript payload when the upnp page is loaded.
CVSS Vector
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:L/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XTp Link Wr841n
HWTp-Link1414.614.8Tp Link Wr841n Firmware
OSTp-Link≤ 241230
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
XSS
CWE
Related vulnerabilities
CVE-2020-35575CRITICAL9.8ten sam produkt
A password-disclosure issue in the web interface on certain TP-Link devices allows a remote attacker to get fu...
CVE-2025-6542CRITICAL9.3PL ✓ten sam vendor
Zdalne wykonanie poleceń OS bez uwierzytelnienia w routerach TP-Link Omada
CVE-2025-7850CRITICAL9.3PL ✓ten sam vendor
Command injection w bramkach Omada (TP-Link) po uwierzytelnieniu admina
CVE-2024-57040CRITICAL9.8PL ✓ten sam vendor
TP-Link TL-WR845N — zakodowane na stałe hasło roota (hardcoded password)
CVE-2024-46340CRITICAL9.8PL ✓ten sam vendor
TP-Link TL-WR845N — przesyłanie danych uwierzytelniających w postaci jawnego tekstu