CVE-2024-57514 - XSS in TP-Link A20 v3 Router
Title: XSS in TP-Link A20 v3 Router
Severity: Medium 5.3 (CVSS 4.0)
Researcher: Ravindu Wickramasinghe | rvz (@rvizx9)
Product: archer-a20
Vulnerable Versions: A20 v3
Fixed Versions: N/A
CVE: CVE-2024-57514
1. Introduction
The TP-Link Archer A20 v3 Router is vulnerable to Cross-site Scripting (XSS) due to improper handling of
directory listing paths in the web interface. When a specially crafted URL is visited, the router's web
page renders the directory listing and executes arbitrary JavaScript embedded in the URL. This allows
the attacker to inject malicious code into the page, executing JavaScript on the victim's browser, which
could then be used for further malicious actions. The vulnerability was identified in the 1.0.6 Build
20231011 rel.85717(5553) version.
2. Analysis and Proof of Concept
The XSS vulnerability, while allowing arbitrary JavaScript execution on the `/` path, and
sub-directories it does not permit the direct theft of cookies scoped to `/cgi-bin/luci`. This is due to
the cookie’s path attribute, which restricts its accessibility to that specific path. As a result, the
attacker cannot access or steal the cookie from the `/cgi-bin/luci` path via the XSS on `/`. However,
while the cookie is protected from direct theft in this instance, it is important to note that other
types of attacks, could still be possible depending on the context and other vulnerabilities present in the system.
Payload:
http://192.168.0.1/<style onload=alert`rvz`;>../..%2f
PoC Video:
3. Tp-Link's Statement
TP-Link has acknowledged the vulnerability identified in the TP-Link A20 v3 Router, confirming its existence. However, the company has clarified that the affected model has reached its End of Life (EOL) status, in accordance with their End-of-Life Policy. After a comprehensive evaluation, TP-Link’s security and product teams concluded that the scope and severity of the vulnerability are limited, and as such, no corrective actions will be taken for this model. The company assured that it is actively assessing other models to identify potential vulnerabilities and ensure the continued security of its products.
4. Timeline
06/12/2024 - Sent the vulnerability report to TP-Link
23/12/2024 - Recieved a response from the TP-Link Team
23/12/2024 - Inquire about requesting CVE for the issue from TP-Link
24/12/2024 - Requested a CVE ID from MITRE
23/01/2025 - MITRE Team Assigned CVE-2024-57514
28/01/2025 - Publicly disclosed the security issue details.