CVE-2024-57514
Published: 28 January 2025
Description
The TP-Link Archer A20 v3 router is vulnerable to Cross-site Scripting (XSS) due to improper handling of directory listing paths in the web interface. When a specially crafted URL is visited, the router's web page renders the directory listing and executes arbitrary JavaScript embedded in the URL. This allows the attacker to inject malicious code into the page, executing JavaScript on the victim's browser, which could then be used for further malicious actions. The vulnerability was identified in the 1.0.6 Build 20231011 rel.85717(5553) version.
Security Summary
CVE-2024-57514 is a Cross-Site Scripting (XSS) vulnerability, classified under CWE-79, in the web interface of the TP-Link Archer A20 v3 router. It arises from improper handling of directory listing paths, where a specially crafted URL triggers the router's web page to render a directory listing and execute arbitrary JavaScript embedded in the URL. This flaw was identified in version 1.0.6 Build 20231011 rel.85717(5553) and carries a CVSS v3.1 base score of 4.8 (AV:A/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).
An attacker on an adjacent network with low privileges can exploit this by tricking a victim into visiting the malicious URL through the router's web interface. Successful exploitation injects and executes arbitrary JavaScript in the victim's browser context, enabling actions such as stealing session cookies, keystroke logging, or phishing overlays, though impacts are limited to low confidentiality and integrity effects with no availability disruption.
For additional details, including proof-of-concept reproduction, refer to the analysis at https://www.zyenra.com/blog/xss-in-tplink-archer-a20.html. No vendor-specific patch or mitigation guidance is detailed in the available references.
Details
- CWE(s)