CVE-2018-20372
Description
TP-Link TD-W8961ND routers are vulnerable to persistent XSS via a crafted DHCP client hostname, enabling script injection in the web interface.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
TP-Link TD-W8961ND routers are vulnerable to persistent XSS via a crafted DHCP client hostname, enabling script injection in the web interface.
Vulnerability
A persistent cross-site scripting (XSS) vulnerability exists in the web-application of TP-Link TD-W8961ND ADSL2+ Modem Routers (firmware v1.x) and potentially other models using the same firmware [1]. The flaw resides in the DHCP client list view, where the hostname field from DHCP clients is not properly sanitized before being displayed. An attacker can inject arbitrary JavaScript code by setting a DHCP client's hostname to include malicious script payloads. The injected code executes on the application-side when the administrator views the DHCP client list in the web interface, resulting in stored XSS [1].
Exploitation
To exploit this vulnerability, an attacker must be on the same local network as the target router and have the ability to send DHCP requests [1]. No authentication is required to initiate the attack; the attacker's DHCP client simply needs to be configured (or spoof) a hostname containing an XSS payload (e.g., ``). When the router's web interface is accessed by an administrator, the DHCP client list renders the malicious hostname, executing the script in the context of the administrator's browser session [1]. The attack is remote, as the attacker can be any device on the LAN that obtains an IP via DHCP.
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the administrator's browser [1]. This can lead to session hijacking, configuration changes, redirection to malicious sites, or further compromise of the router's administrative functions. The CVSS v2 score is 3.5 (Low), reflecting prerequisites of local network access and user interaction (the admin must view the DHCP client list) [1]. The impact is context-dependent, but in a home or small office environment, this could allow an attacker to modify DNS settings, exfiltrate credentials, or perform other administrative actions.
Mitigation
Vendor advisory or patch: Not disclosed in the available references [1]. As of the publication date (2016-11-28 disclosure, 2018-12-23 CVE assignment), no official firmware update from TP-Link has been mentioned. Users should restrict access to the router's web interface to trusted networks, disable remote management, and avoid viewing the DHCP client list when untrusted devices are connected. Additionally, network-level controls like ingress filtering for DHCP hostnames could help, but no official workaround is documented.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing output sanitization of the DHCP hostname field allows persistent XSS in the router's web interface."
Attack vector
An attacker on the local network sends a crafted DHCP request with a malicious JavaScript payload as the hostname (e.g., via a modified DHCP client or a rogue DHCP server). When an administrator views the DHCP client list in the router's web interface, the payload executes in the context of the admin session [ref_id=1]. The attack requires no authentication on the attacker's part and only low user interaction (the admin viewing the list) [ref_id=1].
Affected code
The vulnerability resides in the DHCP client list view of the TP-Link TD-W8961ND web GUI (firmware v1.x). The router does not sanitize the hostname field supplied by DHCP clients before rendering it in the administrative interface.
What the fix does
No patch is provided in the bundle. The advisory does not include a vendor fix or remediation guidance [ref_id=1]. To close the vulnerability, the router firmware should sanitize or encode the DHCP hostname field before rendering it in the web interface, preventing script injection.
Preconditions
- networkAttacker must be on the same local network as the router to send a crafted DHCP request
- inputAn administrator must view the DHCP client list page in the router's web interface
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- www.vulnerability-lab.com/get_content.phpmitrex_refsource_MISC
- www.youtube.com/watchmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.