Unauthenticated XSS Vulnerability in TP-Link Archer AX50 Firmware

CVE-2024-2188

6.1MEDIUM

Key Information

Vendor: Tp-link
Status: Archer Ax50
Vendor: CVE Published:; 5 March 2024

Badges

👾 Exploit Exists🔴 Public PoC

Summary

Cross-Site Scripting (XSS) vulnerability stored in TP-Link Archer AX50 affecting firmware version 1.0.11 build 2022052. This vulnerability could allow an unauthenticated attacker to create a port mapping rule via a SOAP request and store a malicious JavaScript payload within that rule, which could result in an execution of the JavaScript payload when the rule is loaded.

Affected Version(s)

Archer AX50 = 1.0.11 build 2022052

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-2188
Created by hacefresko

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

👾
Exploit exists.
Sep 18, 2024
Vulnerability Reserved.
Mar 5, 2024
Vulnerability published.
Mar 5, 2024

Collectors

NVD DatabaseMitre Database1 Proof of Concept(s)

Credit

Victor Fresco Perales (@hacefresko)