ByteOS Network

NVD Vulnerability Details :

CVE-2025-25427

Analyzed

Source-f23511db-6c3e-4e32-a477-6aa17d310630

Published At-18 Apr, 2025 | 01:15

Updated At-09 Jul, 2025 | 17:35

A stored cross-site scripting (XSS) vulnerability in the upnp.htm page of the web Interface in TP-Link WR841N v14/v14.6/v14.8 <= Build 241230 Rel. 50788n allows remote attackers to inject arbitrary JavaScript code via the port mapping description. This leads to an execution of the JavaScript payload when the upnp page is loaded.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	4.0	8.6	HIGH	CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:L/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary	3.1	5.4	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CPE Matches

TP-Link Systems Inc.

>>wr841n_firmware>>Versions up to 241230(inclusive)

cpe:2.3:o:tp-link:wr841n_firmware:*:*:*:*:*:*:*:*

TP-Link Systems Inc.

>>wr841n>>14

cpe:2.3:h:tp-link:wr841n:14:*:*:*:*:*:*:*

TP-Link Systems Inc.

>>wr841n>>14.6

cpe:2.3:h:tp-link:wr841n:14.6:*:*:*:*:*:*:*

TP-Link Systems Inc.

>>wr841n>>14.8

cpe:2.3:h:tp-link:wr841n:14.8:*:*:*:*:*:*:*

Weaknesses

CWE ID	Type	Source
CWE-79	Secondary	f23511db-6c3e-4e32-a477-6aa17d310630

References

Hyperlink	Source	Resource
https://github.com/slin99/2025-25427	f23511db-6c3e-4e32-a477-6aa17d310630	Exploit Third Party Advisory
https://www.tp-link.com/us/support/download/tl-wr841n/#Firmware	f23511db-6c3e-4e32-a477-6aa17d310630	Product
https://www.tp-link.com/us/support/faq/4415/	f23511db-6c3e-4e32-a477-6aa17d310630	Vendor Advisory
https://github.com/slin99/2025-25427/blob/master/readme.md	134c704f-9b21-4f2e-91b3-4a467353bcc0	Exploit Third Party Advisory

CISA Catalog

Metrics

CPE Matches

Weaknesses

Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References

Change History