CVE-2025-5542

A vulnerability was found in TOTOLINK X2000R 1.0.0-B20230726.1108. It has been classified as problematic. Affected is an unknown function of the file /boafrm/formPortFw of the component Virtual Server Page. The manipulation of the argument service_type leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:totolink:x2000r_firmware:1.0.0-b20230726.1108:*:*:*:*:*:*:*
cpe:2.3:h:totolink:x2000r:-:*:*:*:*:*:*:*

History

06 Jun 2025, 18:47

Type Values Removed Values Added
References () https://github.com/fizz-is-on-the-way/Iot_vuls/tree/main/X2000R/XSS_Virtual_Server - () https://github.com/fizz-is-on-the-way/Iot_vuls/tree/main/X2000R/XSS_Virtual_Server - Exploit
References () https://vuldb.com/?ctiid.310992 - () https://vuldb.com/?ctiid.310992 - Permissions Required, VDB Entry
References () https://vuldb.com/?id.310992 - () https://vuldb.com/?id.310992 - Third Party Advisory, VDB Entry
References () https://vuldb.com/?submit.585726 - () https://vuldb.com/?submit.585726 - Third Party Advisory, VDB Entry
References () https://www.totolink.net/ - () https://www.totolink.net/ - Product
CPE cpe:2.3:h:totolink:x2000r:-:*:*:*:*:*:*:*
cpe:2.3:o:totolink:x2000r_firmware:1.0.0-b20230726.1108:*:*:*:*:*:*:*
First Time Totolink x2000r
Totolink
Totolink x2000r Firmware

04 Jun 2025, 14:15

Type Values Removed Values Added
Summary
  • (es) Se encontró una vulnerabilidad en TOTOLINK X2000R 1.0.0-B20230726.1108. Se ha clasificado como problemática. Se ve afectada una función desconocida del archivo /boafrm/formPortFw del componente Virtual Server Page. La manipulación del argumento service_type provoca ataques de cross site scripting. Es posible ejecutar el ataque de forma remota. Se ha hecho público el exploit y puede que sea utilizado.
References () https://github.com/fizz-is-on-the-way/Iot_vuls/tree/main/X2000R/XSS_Virtual_Server - () https://github.com/fizz-is-on-the-way/Iot_vuls/tree/main/X2000R/XSS_Virtual_Server -

03 Jun 2025, 22:15

Type Values Removed Values Added
New CVE

Information

Published : 2025-06-03 22:15

Updated : 2025-06-06 18:47


NVD link : CVE-2025-5542

Mitre link : CVE-2025-5542

CVE.ORG link : CVE-2025-5542


JSON object : View

Products Affected

totolink

  • x2000r_firmware
  • x2000r
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-94

Improper Control of Generation of Code ('Code Injection')