PT-2025-17247 · Tp Link · Tp-Link Wr841N
Slin99
·
Published
2025-03-20
·
Updated
2025-04-23
·
CVE-2025-25427
CVSS v4.0
8.6
High
| Vector | AV:A/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:L/SI:N/SA:L |
Name of the Vulnerable Software and Affected Versions
TP-Link WR841N versions v14/v14.6/v14.8 <= Build 241230 Rel. 50788n
TP-Link WR841N version <= 4.19
Description
A stored cross-site scripting (XSS) vulnerability in the upnp.htm page of the web Interface in TP-Link WR841N allows remote attackers to inject arbitrary JavaScript code via the port mapping description. This leads to an execution of the JavaScript payload when the upnp page is loaded.
Recommendations
For TP-Link WR841N versions v14/v14.6/v14.8 <= Build 241230 Rel. 50788n, consider disabling the upnp.htm page until a patch is available.
For TP-Link WR841N version <= 4.19, restrict access to the upnp page to minimize the risk of exploitation.
As a temporary workaround, avoid using the port mapping description in the affected API endpoint until the issue is resolved.
Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Tp-Link Wr841N