Details of VAR-202504-3700

ID

VAR-202504-3700

CVE

CVE-2025-25427

TITLE

TP-LINK Technologies of wr841n Cross-site scripting vulnerability in firmware

Trust: 0.8

sources: JVNDB: JVNDB-2025-008345

DESCRIPTION

A stored cross-site scripting (XSS) vulnerability in the upnp.htm page of the web Interface in TP-Link WR841N v14/v14.6/v14.8 <= Build 241230 Rel. 50788n allows remote attackers to inject arbitrary JavaScript code via the port mapping description. This leads to an execution of the JavaScript payload when the upnp page is loaded. TP-LINK Technologies of wr841n Firmware has a cross-site scripting vulnerability.Information may be obtained and information may be tampered with

Trust: 1.62

sources: NVD: CVE-2025-25427 // JVNDB: JVNDB-2025-008345

AFFECTED PRODUCTS

vendor:	tp link	model:	wr841n	scope:	lte	version:	241230	Trust: 1.0
vendor:	tp link	model:	wr841n	scope:	eq	version:	-	Trust: 0.8
vendor:	tp link	model:	wr841n	scope:	-	version:	-	Trust: 0.8
vendor:	tp link	model:	wr841n	scope:	lte	version:	wr841n firmware 241230 and earlier	Trust: 0.8

sources: JVNDB: JVNDB-2025-008345 // NVD: CVE-2025-25427

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2025-25427
value:	MEDIUM
Trust: 1.0
f23511db-6c3e-4e32-a477-6aa17d310630:	CVE-2025-25427
value:	HIGH
Trust: 1.0
NVD:	CVE-2025-25427
value:	MEDIUM
Trust: 0.8

nvd@nist.gov:	CVE-2025-25427
baseSeverity:	MEDIUM
baseScore:	5.4
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.3
impactScore:	2.7
version:	3.1
Trust: 1.0
NVD:	CVE-2025-25427
baseSeverity:	MEDIUM
baseScore:	5.4
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2025-008345 // NVD: CVE-2025-25427 // NVD: CVE-2025-25427

PROBLEMTYPE DATA

problemtype:	CWE-79	Trust: 1.0
problemtype:	Cross-site scripting (CWE-79) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2025-008345 // NVD: CVE-2025-25427

EXTERNAL IDS

db:	NVD	id:	CVE-2025-25427	Trust: 2.6
db:	JVNDB	id:	JVNDB-2025-008345	Trust: 0.8

sources: JVNDB: JVNDB-2025-008345 // NVD: CVE-2025-25427

REFERENCES

url:	https://github.com/slin99/2025-25427	Trust: 1.8
url:	https://www.tp-link.com/us/support/download/tl-wr841n/#firmware	Trust: 1.8
url:	https://www.tp-link.com/us/support/faq/4415/	Trust: 1.8
url:	https://github.com/slin99/2025-25427/blob/master/readme.md	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2025-25427	Trust: 0.8

sources: JVNDB: JVNDB-2025-008345 // NVD: CVE-2025-25427

SOURCES

db:	JVNDB	id:	JVNDB-2025-008345
db:	NVD	id:	CVE-2025-25427

LAST UPDATE DATE

2025-07-11T22:17:04.073000+00:00

SOURCES UPDATE DATE

db:	JVNDB	id:	JVNDB-2025-008345	date:	2025-07-10T02:45:00
db:	NVD	id:	CVE-2025-25427	date:	2025-07-09T17:35:24.770

SOURCES RELEASE DATE

db:	JVNDB	id:	JVNDB-2025-008345	date:	2025-07-10T00:00:00
db:	NVD	id:	CVE-2025-25427	date:	2025-04-18T01:15:32.427