1. Introduction

The TP-Link Archer A20 v3 Router is vulnerable to Cross-site Scripting (XSS) due to improper handling of directory listing paths in the web interface. When a specially crafted URL is visited, the router’s web page renders the directory listing and executes arbitrary JavaScript embedded in the URL. This allows the attacker to inject malicious code into the page, executing JavaScript on the victim’s browser, which could then be used for further malicious actions. The vulnerability was identified in the 1.0.6 Build 20231011 rel.85717(5553) version.

2. Analysis and Proof of Concept

The XSS vulnerability, while allowing arbitrary JavaScript execution on the / path, and sub-directories it does not permit the direct theft of cookies scoped to /cgi-bin/luci. This is due to the cookie’s path attribute, which restricts its accessibility to that specific path. As a result, the attacker cannot access or steal the cookie from the /cgi-bin/luci path via the XSS on /. However, while the cookie is protected from direct theft in this instance, it is important to note that other types of attacks, could still be possible depending on the context and other vulnerabilities present in the system.

Payload:

http://192.168.0.1/<style onload=alert`rvz`;>../..%2f

PoC Video:

3. Statement from TP-Link Company

TP-Link has acknowledged the vulnerability identified in the TP-Link A20 v3 Router, confirming its existence. However, the company has clarified that the affected model has reached its End of Life (EOL) status, in accordance with their End-of-Life Policy. After a comprehensive evaluation, TP-Link’s security and product teams concluded that the scope and severity of the vulnerability are limited, and as such, no corrective actions will be taken for this model. The company assured that it is actively assessing other models to identify potential vulnerabilities and ensure the continued security of its product

4. Timeline

06/12/2024 – Sent the vulnerability report to TP-Link
23/12/2024 – Received a response from the TP-Link Team
23/12/2024 – Inquired about requesting CVE for the issue from TP-Link
24/12/2024 – Requested a CVE ID from MITRE
23/01/2025 – MITRE Team assigned CVE-2024-57514
28/01/2025 – Publicly disclosed the security issue details

Author / Researcher

Ravindu Wickramasinghe | rvz

​1. Introduction

​2. Analysis and Proof of Concept

​Payload:

​PoC Video:

​3. Statement from TP-Link Company

​4. Timeline

​Author / Researcher