Details of VAR-202506-0297

ID

VAR-202506-0297

CVE

CVE-2025-5542

TITLE

TOTOLINK of x2000r Cross-site scripting vulnerability in firmware

Trust: 0.8

sources: JVNDB: JVNDB-2025-006495

DESCRIPTION

A vulnerability was found in TOTOLINK X2000R 1.0.0-B20230726.1108. It has been classified as problematic. Affected is an unknown function of the file /boafrm/formPortFw of the component Virtual Server Page. The manipulation of the argument service_type leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. TOTOLINK of x2000r Firmware has a cross-site scripting vulnerability.Information may be obtained and information may be tampered with. TOTOLINK X2000R is a wireless router from China's TOTOLINK Electronics. TOTOLINK X2000R has a cross-site scripting vulnerability, which is caused by the lack of effective filtering and escaping of user-supplied data in the parameter service_type in the file /boafrm/formPortFw. No detailed vulnerability details are currently provided

Trust: 2.16

sources: NVD: CVE-2025-5542 // JVNDB: JVNDB-2025-006495 // CNVD: CNVD-2025-12167

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2025-12167

AFFECTED PRODUCTS

vendor:	totolink	model:	x2000r	scope:	eq	version:	1.0.0-b20230726.1108	Trust: 1.0
vendor:	totolink	model:	x2000r	scope:	-	version:	-	Trust: 0.8
vendor:	totolink	model:	x2000r	scope:	eq	version:	-	Trust: 0.8
vendor:	totolink	model:	x2000r	scope:	eq	version:	x2000r firmware 1.0.0-b20230726.1108	Trust: 0.8
vendor:	totolink	model:	x2000r 1.0.0-b20230726.1108	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2025-12167 // JVNDB: JVNDB-2025-006495 // NVD: CVE-2025-5542

CVSS

SEVERITY

CVSSV2

CVSSV3

cna@vuldb.com:	CVE-2025-5542
value:	MEDIUM
Trust: 1.0
nvd@nist.gov:	CVE-2025-5542
value:	MEDIUM
Trust: 1.0
OTHER:	JVNDB-2025-006495
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2025-12167
value:	LOW
Trust: 0.6

cna@vuldb.com:	CVE-2025-5542
severity:	LOW
baseScore:	3.3
vectorString:	AV:N/AC:L/AU:M/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	MULTIPLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.4
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
OTHER:	JVNDB-2025-006495
severity:	LOW
baseScore:	3.3
vectorString:	AV:N/AC:L/AU:M/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	MULTIPLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
CNVD:	CNVD-2025-12167
severity:	LOW
baseScore:	3.3
vectorString:	AV:N/AC:L/AU:M/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	MULTIPLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.4
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

cna@vuldb.com:	CVE-2025-5542
baseSeverity:	LOW
baseScore:	2.4
vectorString:	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	0.9
impactScore:	1.4
version:	3.1
Trust: 1.0
nvd@nist.gov:	CVE-2025-5542
baseSeverity:	MEDIUM
baseScore:	4.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	1.7
impactScore:	2.7
version:	3.1
Trust: 1.0
NVD:	JVNDB-2025-006495
baseSeverity:	MEDIUM
baseScore:	4.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2025-12167 // JVNDB: JVNDB-2025-006495 // NVD: CVE-2025-5542 // NVD: CVE-2025-5542

PROBLEMTYPE DATA

problemtype:	CWE-94	Trust: 1.0
problemtype:	CWE-79	Trust: 1.0
problemtype:	Cross-site scripting (CWE-79) [ others ]	Trust: 0.8
problemtype:	Cross-site scripting (CWE-79) [NVD evaluation ]	Trust: 0.8
problemtype:	Code injection (CWE-94) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2025-006495 // NVD: CVE-2025-5542

EXTERNAL IDS

db:	NVD	id:	CVE-2025-5542	Trust: 3.2
db:	VULDB	id:	310992	Trust: 1.8
db:	JVNDB	id:	JVNDB-2025-006495	Trust: 0.8
db:	CNVD	id:	CNVD-2025-12167	Trust: 0.6

sources: CNVD: CNVD-2025-12167 // JVNDB: JVNDB-2025-006495 // NVD: CVE-2025-5542

REFERENCES

url:	https://github.com/fizz-is-on-the-way/iot_vuls/tree/main/x2000r/xss_virtual_server	Trust: 2.4
url:	https://vuldb.com/?id.310992	Trust: 1.8
url:	https://vuldb.com/?submit.585726	Trust: 1.8
url:	https://www.totolink.net/	Trust: 1.8
url:	https://vuldb.com/?ctiid.310992	Trust: 1.0
url:	https://nvd.nist.gov/vuln/detail/cve-2025-5542	Trust: 0.8

sources: CNVD: CNVD-2025-12167 // JVNDB: JVNDB-2025-006495 // NVD: CVE-2025-5542

SOURCES

db:	CNVD	id:	CNVD-2025-12167
db:	JVNDB	id:	JVNDB-2025-006495
db:	NVD	id:	CVE-2025-5542

LAST UPDATE DATE

2025-06-14T22:53:44.130000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2025-12167	date:	2025-06-11T00:00:00
db:	JVNDB	id:	JVNDB-2025-006495	date:	2025-06-10T00:32:00
db:	NVD	id:	CVE-2025-5542	date:	2025-06-06T18:47:37.757

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2025-12167	date:	2025-06-11T00:00:00
db:	JVNDB	id:	JVNDB-2025-006495	date:	2025-06-10T00:00:00
db:	NVD	id:	CVE-2025-5542	date:	2025-06-03T22:15:21.807