FKIE_CVE-2024-57514

Vulnerability from fkie_nvd - Published: 2025-01-28 22:15 - Updated: 2025-01-29 16:15
Severity ?
4.8 (Medium) - CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
The TP-Link Archer A20 v3 router is vulnerable to Cross-site Scripting (XSS) due to improper handling of directory listing paths in the web interface. When a specially crafted URL is visited, the router's web page renders the directory listing and executes arbitrary JavaScript embedded in the URL. This allows the attacker to inject malicious code into the page, executing JavaScript on the victim's browser, which could then be used for further malicious actions. The vulnerability was identified in the 1.0.6 Build 20231011 rel.85717(5553) version.
References
cve@mitre.orghttps://www.zyenra.com/blog/xss-in-tplink-archer-a20.html
134c704f-9b21-4f2e-91b3-4a467353bcc0https://www.zyenra.com/blog/xss-in-tplink-archer-a20.html
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The TP-Link Archer A20 v3 router is vulnerable to Cross-site Scripting (XSS) due to improper handling of directory listing paths in the web interface. When a specially crafted URL is visited, the router\u0027s web page renders the directory listing and executes arbitrary JavaScript embedded in the URL. This allows the attacker to inject malicious code into the page, executing JavaScript on the victim\u0027s browser, which could then be used for further malicious actions. The vulnerability was identified in the 1.0.6 Build 20231011 rel.85717(5553) version."
    },
    {
      "lang": "es",
      "value": "El TP-Link Archer A20 v3 router es vulnerable a Cross-site Scripting (XSS) debido a la gesti\u00f3n inadecuada de las rutas de listado de directorios en la interfaz web. Cuando se visita una URL manipulado especial, la p\u00e1gina web del router muestra el listado de directorios y ejecuta JavaScript arbitrario incrustado en la URL. Esto permite al atacante inyectar c\u00f3digo malicioso en la p\u00e1gina, ejecutando JavaScript en el navegador de la v\u00edctima, que luego podr\u00eda usarse para otras acciones maliciosas. La vulnerabilidad se identific\u00f3 en la versi\u00f3n 1.0.6 Build 20231011 rel.85717(5553)."
    }
  ],
  "id": "CVE-2024-57514",
  "lastModified": "2025-01-29T16:15:43.533",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "ADJACENT_NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.8,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.7,
        "impactScore": 2.7,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-01-28T22:15:16.103",
  "references": [
    {
      "source": "cve@mitre.org",
      "url": "https://www.zyenra.com/blog/xss-in-tplink-archer-a20.html"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "url": "https://www.zyenra.com/blog/xss-in-tplink-archer-a20.html"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.