CVE-2024-28402 in X2000R
Summary
by MITRE • 04/11/2024
TOTOLINK X2000R before V1.0.0-B20231213.1013 contains a Stored Cross-site scripting (XSS) vulnerability in IP/Port Filtering under the Firewall Page.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 04/13/2025
The vulnerability identified as CVE-2024-28402 affects the TOTOLINK X2000R router firmware version prior to V1.0.0-B20231213.1013, representing a critical security flaw within the device's web-based management interface. This issue manifests as a stored cross-site scripting vulnerability located within the IP/Port Filtering functionality of the Firewall page, creating a persistent threat that can affect all users interacting with the affected system. The vulnerability stems from inadequate input validation and output encoding mechanisms within the router's web interface, specifically when processing user-supplied data for firewall rule configurations.
The technical flaw occurs when administrators or users input malicious script code into the IP/Port Filtering parameters, which are then stored in the router's configuration database without proper sanitization. When other users subsequently access the Firewall page to view or modify these stored rules, the malicious scripts execute in their browsers, potentially compromising their sessions and enabling unauthorized actions. This stored nature of the vulnerability means that the malicious payload persists even after the initial configuration, making it particularly dangerous as it can affect multiple users over time. The vulnerability aligns with CWE-79, which specifically addresses cross-site scripting flaws, and represents a classic case of insecure input handling within web applications.
The operational impact of this vulnerability extends beyond simple script execution, potentially enabling attackers to perform session hijacking, steal administrative credentials, redirect users to malicious sites, or execute arbitrary commands within the context of the router's web interface. An attacker could leverage this vulnerability to gain unauthorized access to the router's administrative functions, modify firewall rules to allow malicious traffic, or establish persistent access points within the network. The threat is particularly concerning for enterprise environments where network administrators may unknowingly execute malicious scripts when viewing firewall configurations, creating a potential attack vector for lateral movement and network compromise. This vulnerability directly maps to ATT&CK technique T1071.004 for application layer protocol usage and T1566 for phishing attacks through web interfaces.
Mitigation strategies for CVE-2024-28402 should prioritize immediate firmware updates to the latest available version V1.0.0-B20231213.1013 or later, which should contain the necessary patches to address the input validation and output encoding deficiencies. Network administrators should also implement additional security measures including restricting administrative access to trusted IP addresses, enabling two-factor authentication where available, and conducting regular security audits of router configurations. Organizations should consider implementing network segmentation to limit the potential impact of successful exploitation and establish monitoring procedures to detect unusual firewall rule modifications. The vulnerability highlights the importance of secure web application development practices and the necessity of comprehensive input validation and output encoding mechanisms, particularly in network infrastructure devices that serve as critical access points for network management and security policy enforcement.