 
1. Introduction
The TP-Link Archer A20 v3 Router is vulnerable to Cross-site Scripting (XSS) due to improper handling of directory listing paths in the web interface. When a specially crafted URL is visited, the router’s web page renders the directory listing and executes arbitrary JavaScript embedded in the URL. This allows the attacker to inject malicious code into the page, executing JavaScript on the victim’s browser, which could then be used for further malicious actions. The vulnerability was identified in the1.0.6 Build 20231011 rel.85717(5553) version.
2. Analysis and Proof of Concept
The XSS vulnerability, while allowing arbitrary JavaScript execution on the / path, and sub-directories it does not permit the direct theft of cookies scoped to /cgi-bin/luci. This is due to the cookie’s path attribute, which restricts its accessibility to that specific path. As a result, the attacker cannot access or steal the cookie from the /cgi-bin/luci path via the XSS on /. However, while the cookie is protected from direct theft in this instance, it is important to note that other types of attacks, could still be possible depending on the context and other vulnerabilities present in the system.Payload:
PoC Video:
3. Statement from TP-Link Company
TP-Link has acknowledged the vulnerability identified in the TP-Link A20 v3 Router, confirming its existence. However, the company has clarified that the affected model has reached its End of Life (EOL) status, in accordance with their End-of-Life Policy. After a comprehensive evaluation, TP-Link’s security and product teams concluded that the scope and severity of the vulnerability are limited, and as such, no corrective actions will be taken for this model. The company assured that it is actively assessing other models to identify potential vulnerabilities and ensure the continued security of its product4. Timeline
- 06/12/2024 – Sent the vulnerability report to TP-Link
- 23/12/2024 – Received a response from the TP-Link Team
- 23/12/2024 – Inquired about requesting CVE for the issue from TP-Link
- 24/12/2024 – Requested a CVE ID from MITRE
- 23/01/2025 – MITRE Team assigned CVE-2024-57514
- 28/01/2025 – Publicly disclosed the security issue details
