Smriti Gaba

**Name of the Vulnerable Software and Affected Versions** TP-Link WIFI Routers (Wireless AC routers) versions TD-W9977v1 TP-Link Access Points versions TL-WA801NDv5, TL-WA801Nv6, TL-WA802Nv5 TP-Link ADSL + DSL Gateways and Routers versions Archer C3150v2 **Description** Unauthenticated stored cross-site scripting (XSS) exists in multiple TP-Link products due to the improper validation of the hostname. The vulnerable hostname function `setDefaultHostname()` is used without sanitization in several pages, including "dhcp.htm", "networkMap.htm", "dhcpClient.htm", "qsEdit.htm", and "qsReview.htm". **Recommendations** For TD-W9977v1, consider disabling the `setDefaultHostname()` function until a patch is available. For TL-WA801NDv5, TL-WA801Nv6, and TL-WA802Nv5, restrict access to the vulnerable pages, including "dhcp.htm", "networkMap.htm", "dhcpClient.htm", "qsEdit.htm", and "qsReview.htm", to minimize the risk of exploitation. For Archer C3150v2, avoid using the vulnerable hostname function `setDefaultHostname()` until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.