CVE-2025-25427

Published: Apr 18, 2025Modified: Jul 9, 2025

8.6

Vector

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:L/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Show more

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:L/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XShow less

Source: f23511db-6c3e-4e32-a477-6aa17d310630 (Secondary)

Description

A stored cross-site scripting (XSS) vulnerability in the upnp.htm page of the web Interface in TP-Link WR841N v14/v14.6/v14.8 <= Build 241230 Rel. 50788n allows remote attackers to inject arbitrary JavaScript code via the port mapping description. This leads to an execution of the JavaScript payload when the upnp page is loaded.

Affected (1)

Products: Tp Link: Wr841n Firmware

1 product

Wr841n Firmware

Configuration A

1 vulnerable · 3 platform

Vulnerable Software	Affected Versions
Tp Link Wr841n Firmware	Up to 241230

Running on/with	Platform Versions
Tp Link Wr841n	Version 14.6
Tp Link Wr841n	Version 14.8
Tp Link Wr841n	Version 14

Related CWEs

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (4)

https://github.com/slin99/2025-25427

Source: f23511db-6c3e-4e32-a477-6aa17d310630

ExploitThird Party Advisory

https://www.tp-link.com/us/support/download/tl-wr841n/#Firmware

Source: f23511db-6c3e-4e32-a477-6aa17d310630

Product

https://www.tp-link.com/us/support/faq/4415/

Source: f23511db-6c3e-4e32-a477-6aa17d310630

Vendor Advisory

https://github.com/slin99/2025-25427/blob/master/readme.md

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

ExploitThird Party Advisory

Timeline

No history available yet.