Cross-Site Scripting vulnerability in TP-Link Archer AX50

Posted date 05/03/2024
Identificador
INCIBE-2024-0114
Importance
3 - Medium
Affected Resources

Archer AX50, version 1.0.11 build 2022052.

Description

INCIBE has coordinated the publication of 1 medium severity vulnerability affecting TP-Link Archer AX50 version 1.0.11 build 2022052, a dual-band router device, which has been discovered by Victor Fresco Perales (@hacefresko).

This vulnerability has been assigned the following code, CVSS v3.1 base score, CVSS vector and vulnerability type CWE:

  • CVE-2024-2188: 6.1 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L | CWE-79.
Solution

Update the firmware to Archer AX50(EU)_V1_1.0.14 build 20240108.

Detail

CVE-2024-2188: Cross-Site Scripting (XSS) vulnerability stored in TP-Link Archer AX50 affecting firmware version 1.0.11 build 2022052. This vulnerability could allow an unauthenticated attacker to create a port mapping rule via a SOAP request and store a malicious JavaScript payload within that rule, which could result in an execution of the JavaScript payload when the rule is loaded.

References list