Sign-up

ID

VAR-202504-3211


CVE

CVE-2025-3994


TITLE

TOTOLINK  of  N150RT  Cross-site scripting vulnerability in firmware

Trust: 0.8

sources: JVNDB: JVNDB-2025-004717

DESCRIPTION

A vulnerability was found in TOTOLINK N150RT 3.4.0-B20190525. It has been classified as problematic. Affected is an unknown function of the file /home.htm of the component IP Port Filtering. The manipulation of the argument Comment leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. TOTOLINK of N150RT The firmware contains cross-site scripting and code injection vulnerabilities.Information may be tampered with. TOTOLINK N150RT is a wireless router from China's TOTOLINK Electronics. TOTOLINK N150RT 3.4.0-B20190525 version has a cross-site scripting vulnerability. Attackers can exploit this vulnerability to execute arbitrary web scripts or HTML by injecting carefully crafted payloads

Trust: 2.16

sources: NVD: CVE-2025-3994 // JVNDB: JVNDB-2025-004717 // CNVD: CNVD-2025-09849

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2025-09849

AFFECTED PRODUCTS

vendor:totolinkmodel:n150rtscope:eqversion:3.4.0-b20190525

Trust: 1.0

vendor:totolinkmodel:n150rtscope: - version: -

Trust: 0.8

vendor:totolinkmodel:n150rtscope:eqversion: -

Trust: 0.8

vendor:totolinkmodel:n150rtscope:eqversion:n150rt firmware 3.4.0-b20190525

Trust: 0.8

vendor:totolinkmodel:n150rt 3.4.0-b20190525scope: - version: -

Trust: 0.6

sources: CNVD: CNVD-2025-09849 // JVNDB: JVNDB-2025-004717 // NVD: CVE-2025-3994

CVSS

SEVERITY

CVSSV2

CVSSV3

cna@vuldb.com: CVE-2025-3994
value: MEDIUM

Trust: 1.0

nvd@nist.gov: CVE-2025-3994
value: LOW

Trust: 1.0

OTHER: JVNDB-2025-004717
value: LOW

Trust: 0.8

CNVD: CNVD-2025-09849
value: LOW

Trust: 0.6

cna@vuldb.com: CVE-2025-3994
severity: LOW
baseScore: 3.3
vectorString: AV:N/AC:L/AU:M/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: MULTIPLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.4
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

OTHER: JVNDB-2025-004717
severity: LOW
baseScore: 3.3
vectorString: AV:N/AC:L/AU:M/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: MULTIPLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

CNVD: CNVD-2025-09849
severity: LOW
baseScore: 3.3
vectorString: AV:N/AC:L/AU:M/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: MULTIPLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.4
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

cna@vuldb.com: CVE-2025-3994
baseSeverity: LOW
baseScore: 2.4
vectorString: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 0.9
impactScore: 1.4
version: 3.1

Trust: 1.0

nvd@nist.gov: CVE-2025-3994
baseSeverity: LOW
baseScore: 3.4
vectorString: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: NONE
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 1.7
impactScore: 1.4
version: 3.1

Trust: 1.0

NVD: JVNDB-2025-004717
baseSeverity: LOW
baseScore: 3.4
vectorString: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: NONE
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2025-09849 // JVNDB: JVNDB-2025-004717 // NVD: CVE-2025-3994 // NVD: CVE-2025-3994

PROBLEMTYPE DATA

problemtype:CWE-94

Trust: 1.0

problemtype:CWE-79

Trust: 1.0

problemtype:Cross-site scripting (CWE-79) [NVD evaluation ]

Trust: 0.8

problemtype: Cross-site scripting (CWE-79) [ others ]

Trust: 0.8

problemtype: Code injection (CWE-94) [ others ]

Trust: 0.8

sources: JVNDB: JVNDB-2025-004717 // NVD: CVE-2025-3994

PATCH

title:Patch for TOTOLINK N150RT IP Port Filtering Component Cross-Site Scripting Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/687806

Trust: 0.6

sources: CNVD: CNVD-2025-09849

EXTERNAL IDS

db:NVDid:CVE-2025-3994

Trust: 3.2

db:VULDBid:306330

Trust: 1.8

db:JVNDBid:JVNDB-2025-004717

Trust: 0.8

db:CNVDid:CNVD-2025-09849

Trust: 0.6

sources: CNVD: CNVD-2025-09849 // JVNDB: JVNDB-2025-004717 // NVD: CVE-2025-3994

REFERENCES

url:https://github.com/fizz-is-on-the-way/iot_vuls/tree/main/n150rt/xss_ip_port_filering

Trust: 2.4

url:https://vuldb.com/?id.306330

Trust: 1.8

url:https://vuldb.com/?submit.557945

Trust: 1.8

url:https://www.totolink.net/

Trust: 1.8

url:https://vuldb.com/?ctiid.306330

Trust: 1.0

url:https://nvd.nist.gov/vuln/detail/cve-2025-3994

Trust: 0.8

sources: CNVD: CNVD-2025-09849 // JVNDB: JVNDB-2025-004717 // NVD: CVE-2025-3994

SOURCES

db:CNVDid:CNVD-2025-09849
db:JVNDBid:JVNDB-2025-004717
db:NVDid:CVE-2025-3994

LAST UPDATE DATE

2025-05-17T03:41:27.377000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2025-09849date:2025-05-15T00:00:00
db:JVNDBid:JVNDB-2025-004717date:2025-05-13T02:28:00
db:NVDid:CVE-2025-3994date:2025-05-12T19:30:48.547

SOURCES RELEASE DATE

db:CNVDid:CNVD-2025-09849date:2025-05-13T00:00:00
db:JVNDBid:JVNDB-2025-004717date:2025-05-13T00:00:00
db:NVDid:CVE-2025-3994date:2025-04-28T01:15:45.233