CVE-2021-3275

Name of the Vulnerable Software and Affected Versions TP-Link WIFI Routers (Wireless AC routers) versions TD-W9977v1 TP-Link Access Points versions TL-WA801NDv5, TL-WA801Nv6, TL-WA802Nv5 TP-Link ADSL + DSL Gateways and Routers versions Archer C3150v2

Description Unauthenticated stored cross-site scripting (XSS) exists in multiple TP-Link products due to the improper validation of the hostname. The vulnerable hostname function setDefaultHostname() is used without sanitization in several pages, including "dhcp.htm", "networkMap.htm", "dhcpClient.htm", "qsEdit.htm", and "qsReview.htm".

Recommendations For TD-W9977v1, consider disabling the setDefaultHostname() function until a patch is available. For TL-WA801NDv5, TL-WA801Nv6, and TL-WA802Nv5, restrict access to the vulnerable pages, including "dhcp.htm", "networkMap.htm", "dhcpClient.htm", "qsEdit.htm", and "qsReview.htm", to minimize the risk of exploitation. For Archer C3150v2, avoid using the vulnerable hostname function setDefaultHostname() until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.