CVE-2025-5542: TOTOLINK X2000R Virtual Server Page formPortFw cross site scripting

2.4 CVSS

Description

A vulnerability was found in TOTOLINK X2000R 1.0.0-B20230726.1108. It has been classified as problematic. Affected is an unknown function of the file /boafrm/formPortFw of the component Virtual Server Page. The manipulation of the argument service_type leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Es wurde eine problematische Schwachstelle in TOTOLINK X2000R 1.0.0-B20230726.1108 ausgemacht. Es geht dabei um eine nicht klar definierte Funktion der Datei /boafrm/formPortFw der Komponente Virtual Server Page. Dank der Manipulation des Arguments service_type mit unbekannten Daten kann eine cross site scripting-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk passieren. Der Exploit steht zur öffentlichen Verfügung.

Classification

CVE ID: CVE-2025-5542

CVSS Base Severity: LOW

CVSS Base Score: 2.4

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N

Problem Types

Cross Site Scripting Code Injection

Affected Products

Vendor: TOTOLINK

Product: X2000R

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.09% (probability of being exploited)

EPSS Percentile: 25.99% (scored less or equal to compared to others)

EPSS Date: 2025-06-05 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-5542
https://vuldb.com/?id.310992
https://vuldb.com/?ctiid.310992
https://vuldb.com/?submit.585726
https://github.com/fizz-is-on-the-way/Iot_vuls/tree/main/X2000R/XSS_Virtual_Server
https://www.totolink.net/

Timeline

2025-06-03 22:40:20 UTC
CVE

TOTOLINK X2000R Virtual Server Page formPortFw cross site scripting