Unauthenticated stored cross-site scripting (XSS) exists in multiple TP-Link products including WIFI Routers (Wireless AC routers), Access Points, ADSL + DSL Gateways and Routers, which affects TD-W9977v1, TL-WA801NDv5, TL-WA801Nv6, TL-WA802Nv5, and Archer C3150v2 devices through the improper validation of the hostname. Some of the pages including dhcp.htm, networkMap.htm, dhcpClient.htm, qsEdit.htm, and qsReview.htm and use this vulnerable hostname function (setDefaultHostname()) without sanitization.
References
Link | Resource |
---|---|
http://packetstormsecurity.com/files/161989/TP-Link-Cross-Site-Scripting.html | Exploit Third Party Advisory VDB Entry |
https://github.com/smriti548/CVE/blob/main/CVE-2021-3275 | Exploit Third Party Advisory |
https://seclists.org/fulldisclosure/2021/Mar/67 | Exploit Mailing List Third Party Advisory |
https://www.tp-link.com | Vendor Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2021-03-26T12:21:23
Updated: 2021-03-26T16:06:13
Reserved: 2021-01-22T00:00:00
Link: CVE-2021-3275
JSON object: View
NVD Information
Status : Analyzed
Published: 2021-03-26T13:15:11.663
Modified: 2021-04-01T02:23:13.020
Link: CVE-2021-3275
JSON object: View
Redhat Information
No data.
CWE