Details of VAR-202504-3238

ID

VAR-202504-3238

CVE

CVE-2025-3996

TITLE

TOTOLINK of N150RT Cross-site scripting vulnerability in firmware

Trust: 0.8

sources: JVNDB: JVNDB-2025-005957

DESCRIPTION

A vulnerability was found in TOTOLINK N150RT 3.4.0-B20190525. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /home.htm of the component MAC Filtering Page. The manipulation of the argument Comment leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. TOTOLINK of N150RT The firmware contains cross-site scripting and code injection vulnerabilities.Information may be obtained and information may be tampered with. TOTOLINK N150RT is a high-power wireless router device. TOTOLINK N150RT has a cross-site scripting vulnerability, which originates from the parameter Comment in the file /home.htm. No detailed vulnerability details are provided at present

Trust: 2.16

sources: NVD: CVE-2025-3996 // JVNDB: JVNDB-2025-005957 // CNVD: CNVD-2025-11988

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2025-11988

AFFECTED PRODUCTS

vendor:	totolink	model:	n150rt	scope:	eq	version:	3.4.0-b20190525	Trust: 1.0
vendor:	totolink	model:	n150rt	scope:	eq	version:	-	Trust: 0.8
vendor:	totolink	model:	n150rt	scope:	eq	version:	n150rt firmware 3.4.0-b20190525	Trust: 0.8
vendor:	totolink	model:	n150rt	scope:	-	version:	-	Trust: 0.8
vendor:	totolink	model:	n150rt 3.4.0-b20190525	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2025-11988 // JVNDB: JVNDB-2025-005957 // NVD: CVE-2025-3996

CVSS

SEVERITY

CVSSV2

CVSSV3

cna@vuldb.com:	CVE-2025-3996
value:	MEDIUM
Trust: 1.0
nvd@nist.gov:	CVE-2025-3996
value:	MEDIUM
Trust: 1.0
OTHER:	JVNDB-2025-005957
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2025-11988
value:	LOW
Trust: 0.6

cna@vuldb.com:	CVE-2025-3996
severity:	LOW
baseScore:	3.3
vectorString:	AV:N/AC:L/AU:M/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	MULTIPLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.4
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
OTHER:	JVNDB-2025-005957
severity:	LOW
baseScore:	3.3
vectorString:	AV:N/AC:L/AU:M/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	MULTIPLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
CNVD:	CNVD-2025-11988
severity:	LOW
baseScore:	3.3
vectorString:	AV:N/AC:L/AU:M/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	MULTIPLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.4
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

cna@vuldb.com:	CVE-2025-3996
baseSeverity:	LOW
baseScore:	2.4
vectorString:	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	0.9
impactScore:	1.4
version:	3.1
Trust: 1.0
nvd@nist.gov:	CVE-2025-3996
baseSeverity:	MEDIUM
baseScore:	4.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	1.7
impactScore:	2.7
version:	3.1
Trust: 1.0
NVD:	JVNDB-2025-005957
baseSeverity:	MEDIUM
baseScore:	4.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2025-11988 // JVNDB: JVNDB-2025-005957 // NVD: CVE-2025-3996 // NVD: CVE-2025-3996

PROBLEMTYPE DATA

problemtype:	CWE-94	Trust: 1.0
problemtype:	CWE-79	Trust: 1.0
problemtype:	Cross-site scripting (CWE-79) [ others ]	Trust: 0.8
problemtype:	Code injection (CWE-94) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2025-005957 // NVD: CVE-2025-3996

PATCH

title:

Patch for TOTOLINK N150RT home.htm cross-site scripting vulnerability

url:

https://www.cnvd.org.cn/patchInfo/show/695701

Trust: 0.6

sources: CNVD: CNVD-2025-11988

EXTERNAL IDS

db:	NVD	id:	CVE-2025-3996	Trust: 3.2
db:	VULDB	id:	306332	Trust: 1.8
db:	JVNDB	id:	JVNDB-2025-005957	Trust: 0.8
db:	CNVD	id:	CNVD-2025-11988	Trust: 0.6

sources: CNVD: CNVD-2025-11988 // JVNDB: JVNDB-2025-005957 // NVD: CVE-2025-3996

REFERENCES

url:	https://github.com/fizz-is-on-the-way/iot_vuls/tree/main/n150rt/xss_mac_filering	Trust: 2.4
url:	https://vuldb.com/?id.306332	Trust: 1.8
url:	https://vuldb.com/?submit.557947	Trust: 1.8
url:	https://www.totolink.net/	Trust: 1.8
url:	https://vuldb.com/?ctiid.306332	Trust: 1.0
url:	https://nvd.nist.gov/vuln/detail/cve-2025-3996	Trust: 0.8

sources: CNVD: CNVD-2025-11988 // JVNDB: JVNDB-2025-005957 // NVD: CVE-2025-3996

SOURCES

db:	CNVD	id:	CNVD-2025-11988
db:	JVNDB	id:	JVNDB-2025-005957
db:	NVD	id:	CVE-2025-3996

LAST UPDATE DATE

2025-06-12T01:56:25.123000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2025-11988	date:	2025-06-10T00:00:00
db:	JVNDB	id:	JVNDB-2025-005957	date:	2025-05-29T06:52:00
db:	NVD	id:	CVE-2025-3996	date:	2025-05-28T15:16:00.770

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2025-11988	date:	2025-06-10T00:00:00
db:	JVNDB	id:	JVNDB-2025-005957	date:	2025-05-29T00:00:00
db:	NVD	id:	CVE-2025-3996	date:	2025-04-28T03:15:18.527