AHA Logo

Austin Hackers Anonymous

About Us Chat CVE Mailing List Meetings Our Spawn Rules


CVE-2024-4224: TP-Link TL-SG1016DE XSS

AHA! has discovered an issue with the TL-SG1016DE from TP-Link, and is publishing this disclosure in accordance with AHA!’s standard disclosure policy today, on July 15, 2024. CVE-2024-4224 has been assigned to this issue.

Any questions about this disclosure should be directed to [email protected].

Executive Summary

Authenticated stored cross-site scripting (XSS) exists in the TP-Link TL-SG1016DE affecting version TL-SG1016DE(UN) V7.6_1.0.0 Build 20230616, which could allow an adversary to run JavaScript in an administrator’s browser. CVE-2024-4224 is an instance of CWE-79.

Technical Details

In the management web interface, the sysName parameter in /system_name_set.cgi accepts user input via HTTP GET to set the system name. Once stored, the system name is rendered in the browser without encoding of HTML entities. This allows the browser to then execute JavaScript code stored in the device name.

Proof of concept (PoC) exploit:

<html>
<body>
<a href='http://192.168.0.1/system_name_set.cgi?sysName=a"]};alert(1);</script>'>XSS</a>
</body>
</html>

Repro steps:

  1. Save PoC exploit as 1.html
  2. Authenticate to TL-SG1016DE
  3. Open 1.html and click the XSS link

Proof screenshot: