Sign-up

ID

VAR-202506-0281


CVE

CVE-2025-5516


TITLE

TOTOLINK  of  x2000r  Cross-site scripting vulnerability in firmware

Trust: 0.8

sources: JVNDB: JVNDB-2025-006480

DESCRIPTION

A vulnerability, which was classified as problematic, was found in TOTOLINK X2000R 1.0.0-B20230726.1108. This affects an unknown part of the file /boafrm/formFilter of the component URL Filtering Page. The manipulation of the argument URL Address leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. TOTOLINK of x2000r Firmware has a cross-site scripting vulnerability.Information may be obtained and information may be tampered with. X2000R is a wireless router from China's TOTOLINK. X2000R 1.0.0-B20230726.1108 version of TOTOLINK (Shenzhen) Co., Ltd. has a cross-site scripting vulnerability. The vulnerability is caused by the lack of effective filtering and escaping of user-supplied data in the URL Address parameter. Attackers can exploit this vulnerability to execute arbitrary web scripts or HTML by injecting carefully designed payloads

Trust: 2.16

sources: NVD: CVE-2025-5516 // JVNDB: JVNDB-2025-006480 // CNVD: CNVD-2025-12342

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2025-12342

AFFECTED PRODUCTS

vendor:totolinkmodel:x2000rscope:eqversion:1.0.0-b20230726.1108

Trust: 1.0

vendor:totolinkmodel:x2000rscope:eqversion: -

Trust: 0.8

vendor:totolinkmodel:x2000rscope: - version: -

Trust: 0.8

vendor:totolinkmodel:x2000rscope:eqversion:x2000r firmware 1.0.0-b20230726.1108

Trust: 0.8

vendor:jiongmodel:x2000r 1.0.0-b20230726.1108scope: - version: -

Trust: 0.6

sources: CNVD: CNVD-2025-12342 // JVNDB: JVNDB-2025-006480 // NVD: CVE-2025-5516

CVSS

SEVERITY

CVSSV2

CVSSV3

cna@vuldb.com: CVE-2025-5516
value: MEDIUM

Trust: 1.0

nvd@nist.gov: CVE-2025-5516
value: MEDIUM

Trust: 1.0

OTHER: JVNDB-2025-006480
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2025-12342
value: MEDIUM

Trust: 0.6

cna@vuldb.com: CVE-2025-5516
severity: LOW
baseScore: 3.3
vectorString: AV:N/AC:L/AU:M/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: MULTIPLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.4
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

OTHER: JVNDB-2025-006480
severity: LOW
baseScore: 3.3
vectorString: AV:N/AC:L/AU:M/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: MULTIPLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

CNVD: CNVD-2025-12342
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:L/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

cna@vuldb.com: CVE-2025-5516
baseSeverity: LOW
baseScore: 2.4
vectorString: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 0.9
impactScore: 1.4
version: 3.1

Trust: 1.0

nvd@nist.gov: CVE-2025-5516
baseSeverity: MEDIUM
baseScore: 4.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 1.7
impactScore: 2.7
version: 3.1

Trust: 1.0

NVD: JVNDB-2025-006480
baseSeverity: MEDIUM
baseScore: 4.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2025-12342 // JVNDB: JVNDB-2025-006480 // NVD: CVE-2025-5516 // NVD: CVE-2025-5516

PROBLEMTYPE DATA

problemtype:CWE-94

Trust: 1.0

problemtype:CWE-79

Trust: 1.0

problemtype:Cross-site scripting (CWE-79) [NVD evaluation ]

Trust: 0.8

problemtype: Cross-site scripting (CWE-79) [ others ]

Trust: 0.8

problemtype: Code injection (CWE-94) [ others ]

Trust: 0.8

sources: JVNDB: JVNDB-2025-006480 // NVD: CVE-2025-5516

EXTERNAL IDS

db:NVDid:CVE-2025-5516

Trust: 3.2

db:VULDBid:310953

Trust: 1.8

db:JVNDBid:JVNDB-2025-006480

Trust: 0.8

db:CNVDid:CNVD-2025-12342

Trust: 0.6

sources: CNVD: CNVD-2025-12342 // JVNDB: JVNDB-2025-006480 // NVD: CVE-2025-5516

REFERENCES

url:https://github.com/fizz-is-on-the-way/iot_vuls/tree/main/x2000r/xss_url_filtering

Trust: 1.8

url:https://vuldb.com/?id.310953

Trust: 1.8

url:https://vuldb.com/?submit.584661

Trust: 1.8

url:https://www.totolink.net/

Trust: 1.8

url:https://nvd.nist.gov/vuln/detail/cve-2025-5516

Trust: 1.4

url:https://vuldb.com/?ctiid.310953

Trust: 1.0

sources: CNVD: CNVD-2025-12342 // JVNDB: JVNDB-2025-006480 // NVD: CVE-2025-5516

SOURCES

db:CNVDid:CNVD-2025-12342
db:JVNDBid:JVNDB-2025-006480
db:NVDid:CVE-2025-5516

LAST UPDATE DATE

2025-06-14T22:51:57.098000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2025-12342date:2025-06-13T00:00:00
db:JVNDBid:JVNDB-2025-006480date:2025-06-09T05:01:00
db:NVDid:CVE-2025-5516date:2025-06-06T17:42:29.520

SOURCES RELEASE DATE

db:CNVDid:CNVD-2025-12342date:2025-06-12T00:00:00
db:JVNDBid:JVNDB-2025-006480date:2025-06-09T00:00:00
db:NVDid:CVE-2025-5516date:2025-06-03T18:15:27.067