CVE-2017-17745

Vulnerability

The vulnerability is a stored cross-site scripting (XSS) in the system_name_set.cgi endpoint of TP-Link TL-SG108E switches running firmware version 1.0.0 Build 20160722 Rel.50167 (hardware version TL-SG108E 3.0). The sysName parameter is not properly sanitized, allowing injection of arbitrary JavaScript [1]. Older firmware versions may also be affected.

Exploitation

An attacker must be authenticated to the device's web interface. The attacker submits a request to system_name_set.cgi with a crafted sysName parameter containing JavaScript payload. The script executes in the context of the admin's session when the system name is displayed on the management page [1].

Impact

Successful exploitation enables the attacker to execute arbitrary JavaScript within the admin session, potentially leading to session hijacking, defacement, or further compromise of the switch configuration [1].

Mitigation

TP-Link acknowledged the vulnerability and indicated that an updated firmware would be released [1]. However, as of the publication date (December 2017), no official fix or workaround has been disclosed. Users should monitor TP-Link's support page for firmware updates and restrict access to the management interface to trusted networks only.