5.3
CVE-2026-34127
- EPSS 0.24%
- Veröffentlicht 29.05.2026 18:59:14
- Zuletzt bearbeitet 01.06.2026 18:35:34
- Quelle f23511db-6c3e-4e32-a477-6aa17d
- CVE-Watchlists
- Unerledigt
Stored Cross-Site Scripting (XSS) via Configuration File Import on TP-Link's TL-SG108PE
A stored cross-site scripting (XSS) vulnerability has been identified in the web management interface of TP-Link's TL-SG108PE v5 switch due to improper sanitation of the SYSNAM configuration parameter during configuration file import. An attacker with administrator access can inject malicious script into the device configuration, which may be stored and executed in the administrator’s browser when the affected interface is viewed. Successful exploitation may allow session cookie theft, unauthorized configuration changes, or access to sensitive information exposed through the management interface.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Tp-link ≫ Tl-sg108pe Firmware Version1.0.1
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.24% | 0.147 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 4.8 | 1.7 | 2.7 |
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
|
| f23511db-6c3e-4e32-a477-6aa17d310630 | 5.3 | 0 | 0 |
CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:P/VC:H/VI:L/VA:H/SC:L/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
|
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
https://www.tp-link.com/en/support/download/tl-sg108pe/v5/#Firmware
https://www.tp-link.com/us/support/download/tl-sg108pe/v5/#Firmware
https://www.tp-link.com/us/support/faq/5110/