CVE-2024-2188

Name of the Vulnerable Software and Affected Versions TP-Link Archer AX50 version 1.0.11 build 2022052

Description The issue is related to a Cross-Site Scripting (XSS) vulnerability that could allow an unauthenticated attacker to create a port mapping rule via a SOAP request and store a malicious JavaScript payload within that rule. This payload could be executed when the rule is loaded. The vulnerability is associated with the lack of protection for the web page structure, which could enable an attacker to execute arbitrary JavaScript code when a created port mapping rule is loaded.

Recommendations For TP-Link Archer AX50 version 1.0.11 build 2022052, consider disabling the SOAP request functionality that allows creating port mapping rules until a patch is available. Restrict access to the port mapping rule feature to minimize the risk of exploitation. Avoid using the vulnerable firmware version until an update is released. At the moment, there is no information about a newer version that contains a fix for this vulnerability.