Details of VAR-202505-0157

ID

VAR-202505-0157

CVE

CVE-2025-4460

TITLE

TOTOLINK of N150RT Cross-site scripting vulnerability in firmware

Trust: 0.8

sources: JVNDB: JVNDB-2025-005647

DESCRIPTION

A vulnerability classified as problematic has been found in TOTOLINK N150RT 3.4.0-B20190525. This affects an unknown part of the component URL Filtering Page. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. TOTOLINK of N150RT The firmware contains cross-site scripting and code injection vulnerabilities.Information may be obtained and information may be tampered with. TOTOLINK N150RT is a wireless router produced by China's TOTOLINK Electronics. No detailed vulnerability details are currently provided

Trust: 2.16

sources: NVD: CVE-2025-4460 // JVNDB: JVNDB-2025-005647 // CNVD: CNVD-2025-10935

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2025-10935

AFFECTED PRODUCTS

vendor:	totolink	model:	n150rt	scope:	eq	version:	3.4.0-b20190525	Trust: 1.0
vendor:	totolink	model:	n150rt	scope:	-	version:	-	Trust: 0.8
vendor:	totolink	model:	n150rt	scope:	eq	version:	-	Trust: 0.8
vendor:	totolink	model:	n150rt	scope:	eq	version:	n150rt firmware 3.4.0-b20190525	Trust: 0.8
vendor:	totolink	model:	n150rt 3.4.0-b20190525	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2025-10935 // JVNDB: JVNDB-2025-005647 // NVD: CVE-2025-4460

CVSS

SEVERITY

CVSSV2

CVSSV3

cna@vuldb.com:	CVE-2025-4460
value:	MEDIUM
Trust: 1.0
nvd@nist.gov:	CVE-2025-4460
value:	MEDIUM
Trust: 1.0
OTHER:	JVNDB-2025-005647
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2025-10935
value:	LOW
Trust: 0.6

cna@vuldb.com:	CVE-2025-4460
severity:	LOW
baseScore:	3.3
vectorString:	AV:N/AC:L/AU:M/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	MULTIPLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.4
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
OTHER:	JVNDB-2025-005647
severity:	LOW
baseScore:	3.3
vectorString:	AV:N/AC:L/AU:M/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	MULTIPLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
CNVD:	CNVD-2025-10935
severity:	LOW
baseScore:	3.3
vectorString:	AV:N/AC:L/AU:M/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	MULTIPLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.4
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

cna@vuldb.com:	CVE-2025-4460
baseSeverity:	LOW
baseScore:	2.4
vectorString:	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	0.9
impactScore:	1.4
version:	3.1
Trust: 1.0
nvd@nist.gov:	CVE-2025-4460
baseSeverity:	MEDIUM
baseScore:	4.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	1.7
impactScore:	2.7
version:	3.1
Trust: 1.0
NVD:	JVNDB-2025-005647
baseSeverity:	MEDIUM
baseScore:	4.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2025-10935 // JVNDB: JVNDB-2025-005647 // NVD: CVE-2025-4460 // NVD: CVE-2025-4460

PROBLEMTYPE DATA

problemtype:	CWE-79	Trust: 1.0
problemtype:	CWE-94	Trust: 1.0
problemtype:	Cross-site scripting (CWE-79) [ others ]	Trust: 0.8
problemtype:	Cross-site scripting (CWE-79) [NVD evaluation ]	Trust: 0.8
problemtype:	Code injection (CWE-94) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2025-005647 // NVD: CVE-2025-4460

PATCH

title:

Patch for TOTOLINK N150RT URL Filtering Page component cross-site scripting vulnerability

url:

https://www.cnvd.org.cn/patchInfo/show/692426

Trust: 0.6

sources: CNVD: CNVD-2025-10935

EXTERNAL IDS

db:	NVD	id:	CVE-2025-4460	Trust: 3.2
db:	VULDB	id:	308079	Trust: 1.8
db:	JVNDB	id:	JVNDB-2025-005647	Trust: 0.8
db:	CNVD	id:	CNVD-2025-10935	Trust: 0.6

sources: CNVD: CNVD-2025-10935 // JVNDB: JVNDB-2025-005647 // NVD: CVE-2025-4460

REFERENCES

url:	https://github.com/fizz-is-on-the-way/iot_vuls/tree/main/n150rt/xss_url_filering	Trust: 2.4
url:	https://vuldb.com/?id.308079	Trust: 1.8
url:	https://vuldb.com/?submit.565956	Trust: 1.8
url:	https://www.totolink.net/	Trust: 1.8
url:	https://vuldb.com/?ctiid.308079	Trust: 1.0
url:	https://nvd.nist.gov/vuln/detail/cve-2025-4460	Trust: 0.8

sources: CNVD: CNVD-2025-10935 // JVNDB: JVNDB-2025-005647 // NVD: CVE-2025-4460

SOURCES

db:	CNVD	id:	CNVD-2025-10935
db:	JVNDB	id:	JVNDB-2025-005647
db:	NVD	id:	CVE-2025-4460

LAST UPDATE DATE

2025-05-30T19:34:45.543000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2025-10935	date:	2025-05-29T00:00:00
db:	JVNDB	id:	JVNDB-2025-005647	date:	2025-05-26T02:36:00
db:	NVD	id:	CVE-2025-4460	date:	2025-05-23T12:28:39.320

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2025-10935	date:	2025-05-29T00:00:00
db:	JVNDB	id:	JVNDB-2025-005647	date:	2025-05-26T00:00:00
db:	NVD	id:	CVE-2025-4460	date:	2025-05-09T04:16:17.700