CVE-2025-21603
Description
Cross-site scripting vulnerability exists in MZK-DP300N firmware versions 1.05 and earlier. If an attacker logs in to the affected product and manipulates the device settings, an arbitrary script may be executed on the logged-in user's web browser when accessing a crafted URL.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cross-site scripting vulnerability in PLANEX MZK-DP300N firmware ≤1.05 allows authenticated attackers to execute arbitrary scripts via crafted URL.
The PLANEX MZK-DP300N wireless LAN router contains a cross-site scripting (XSS) vulnerability in firmware versions 1.05 and earlier. The vulnerability is classified as CWE-79 and arises from improper handling of device settings input [1].
Exploitation requires an attacker to first authenticate to the router's web interface and then manipulate device settings. Upon accessing a specially crafted URL, arbitrary scripts can execute in the context of the logged-in user's browser. The attack vector is network-based with high privileges required and user interaction needed, reflected in a CVSS v3 base score of 4.8 (Medium) [1].
Successful exploitation allows the attacker to execute malicious scripts in the victim's browser, potentially leading to session hijacking, defacement, or redirection to malicious sites. The impact is limited to the browser session of the authenticated user [1].
PLANEX has released firmware version 1.06 (and later 1.08) which addresses this vulnerability. Users are advised to update to the latest firmware as described in the vendor's download page [2].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=1.05
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.