{"api_version":"1","generated_at":"2026-04-23T12:09:18+00:00","cve":"CVE-2021-3275","urls":{"html":"https://cve.report/CVE-2021-3275","api":"https://cve.report/api/cve/CVE-2021-3275.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-3275","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-3275"},"summary":{"title":"CVE-2021-3275","description":"Unauthenticated stored cross-site scripting (XSS) exists in multiple TP-Link products including WIFI Routers (Wireless AC routers), Access Points, ADSL + DSL Gateways and Routers, which affects TD-W9977v1, TL-WA801NDv5, TL-WA801Nv6, TL-WA802Nv5, and Archer C3150v2 devices through the improper validation of the hostname. Some of the pages including dhcp.htm, networkMap.htm, dhcpClient.htm, qsEdit.htm, and qsReview.htm and use this vulnerable hostname function (setDefaultHostname()) without sanitization.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2021-03-26 13:15:00","updated_at":"2021-04-01 02:23:00"},"problem_types":["CWE-79"],"metrics":[],"references":[{"url":"http://packetstormsecurity.com/files/161989/TP-Link-Cross-Site-Scripting.html","name":"http://packetstormsecurity.com/files/161989/TP-Link-Cross-Site-Scripting.html","refsource":"MISC","tags":[],"title":"TP-Link Cross Site Scripting ≈ Packet Storm","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://seclists.org/fulldisclosure/2021/Mar/67","name":"20210326 CVE-2021-3275 : Unauthenticated Stored Cross-site Scripting in Multiple TP-Link Devices","refsource":"FULLDISC","tags":[],"title":"Full Disclosure: CVE-2021-3275 : Unauthenticated Stored Cross-site Scripting in Multiple TP-Link Devices","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.tp-link.com","name":"https://www.tp-link.com","refsource":"MISC","tags":[],"title":"WiFi Networking Equipment for Home & Business | TP-Link","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/smriti548/CVE/blob/main/CVE-2021-3275","name":"https://github.com/smriti548/CVE/blob/main/CVE-2021-3275","refsource":"MISC","tags":[],"title":"CVE/CVE-2021-3275 at main · smriti548/CVE · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-3275","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-3275","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2021","cve_id":"3275","vulnerable":"-1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"h","cpe4":"tp-link","cpe5":"archer-c3150","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"3275","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"tp-link","cpe5":"archer-c3150_firmware","cpe6":"v2_170926","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"3275","vulnerable":"-1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"h","cpe4":"tp-link","cpe5":"td-w9977","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"3275","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"tp-link","cpe5":"td-w9977_firmware","cpe6":"v1_0.1.0_0.9.1_up_boot\\(161123\\)_2016-11-23_15.36.15","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"3275","vulnerable":"-1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"h","cpe4":"tp-link","cpe5":"tl-wa801n","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"3275","vulnerable":"-1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"h","cpe4":"tp-link","cpe5":"tl-wa801nd","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"3275","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"tp-link","cpe5":"tl-wa801nd_firmware","cpe6":"v5_us_0.9.1_3.16_up_boot\\[170905-rel56404\\]","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"3275","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"tp-link","cpe5":"tl-wa801n_firmware","cpe6":"v6_eu_0.9.1_3.16_up_boot\\[200116-rel61815\\]","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"3275","vulnerable":"-1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"h","cpe4":"tp-link","cpe5":"tl-wr802n","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"3275","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"tp-link","cpe5":"tl-wr802n_firmware","cpe6":"v4_us_0.9.1_3.17_up_boot\\[200421-rel38950\\]","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2021-3275","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Unauthenticated stored cross-site scripting (XSS) exists in multiple TP-Link products including WIFI Routers (Wireless AC routers), Access Points, ADSL + DSL Gateways and Routers, which affects TD-W9977v1, TL-WA801NDv5, TL-WA801Nv6, TL-WA802Nv5, and Archer C3150v2 devices through the improper validation of the hostname. Some of the pages including dhcp.htm, networkMap.htm, dhcpClient.htm, qsEdit.htm, and qsReview.htm and use this vulnerable hostname function (setDefaultHostname()) without sanitization."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"url":"https://www.tp-link.com","refsource":"MISC","name":"https://www.tp-link.com"},{"refsource":"MISC","name":"https://github.com/smriti548/CVE/blob/main/CVE-2021-3275","url":"https://github.com/smriti548/CVE/blob/main/CVE-2021-3275"},{"refsource":"FULLDISC","name":"20210326 CVE-2021-3275 : Unauthenticated Stored Cross-site Scripting in Multiple TP-Link Devices","url":"https://seclists.org/fulldisclosure/2021/Mar/67"},{"refsource":"MISC","name":"http://packetstormsecurity.com/files/161989/TP-Link-Cross-Site-Scripting.html","url":"http://packetstormsecurity.com/files/161989/TP-Link-Cross-Site-Scripting.html"}]}},"nvd":{"publishedDate":"2021-03-26 13:15:00","lastModifiedDate":"2021-04-01 02:23:00","problem_types":["CWE-79"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE","baseScore":6.1,"baseSeverity":"MEDIUM"},"exploitabilityScore":2.8,"impactScore":2.7},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:N/I:P/A:N","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":4.3},"severity":"MEDIUM","exploitabilityScore":8.6,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"AND","children":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:tp-link:td-w9977_firmware:v1_0.1.0_0.9.1_up_boot\\(161123\\)_2016-11-23_15.36.15:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":false,"cpe23Uri":"cpe:2.3:h:tp-link:td-w9977:-:*:*:*:*:*:*:*","cpe_name":[]}]}],"cpe_match":[]},{"operator":"AND","children":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:tp-link:tl-wa801nd_firmware:v5_us_0.9.1_3.16_up_boot\\[170905-rel56404\\]:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":false,"cpe23Uri":"cpe:2.3:h:tp-link:tl-wa801nd:-:*:*:*:*:*:*:*","cpe_name":[]}]}],"cpe_match":[]},{"operator":"AND","children":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:tp-link:tl-wa801n_firmware:v6_eu_0.9.1_3.16_up_boot\\[200116-rel61815\\]:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":false,"cpe23Uri":"cpe:2.3:h:tp-link:tl-wa801n:-:*:*:*:*:*:*:*","cpe_name":[]}]}],"cpe_match":[]},{"operator":"AND","children":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:tp-link:tl-wr802n_firmware:v4_us_0.9.1_3.17_up_boot\\[200421-rel38950\\]:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":false,"cpe23Uri":"cpe:2.3:h:tp-link:tl-wr802n:-:*:*:*:*:*:*:*","cpe_name":[]}]}],"cpe_match":[]},{"operator":"AND","children":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:tp-link:archer-c3150_firmware:v2_170926:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":false,"cpe23Uri":"cpe:2.3:h:tp-link:archer-c3150:-:*:*:*:*:*:*:*","cpe_name":[]}]}],"cpe_match":[]}]}},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"3275","Ordinal":"200795","Title":"CVE-2021-3275","CVE":"CVE-2021-3275","Year":"2021"},"notes":[{"CveYear":"2021","CveId":"3275","Ordinal":"1","NoteData":"Unauthenticated stored cross-site scripting (XSS) exists in multiple TP-Link products including WIFI Routers (Wireless AC routers), Access Points, ADSL + DSL Gateways and Routers, which affects TD-W9977v1, TL-WA801NDv5, TL-WA801Nv6, TL-WA802Nv5, and Archer C3150v2 devices through the improper validation of the hostname. Some of the pages including dhcp.htm, networkMap.htm, dhcpClient.htm, qsEdit.htm, and qsReview.htm and use this vulnerable hostname function (setDefaultHostname()) without sanitization.","Type":"Description","Title":null},{"CveYear":"2021","CveId":"3275","Ordinal":"2","NoteData":"2021-03-26","Type":"Other","Title":"Published"},{"CveYear":"2021","CveId":"3275","Ordinal":"3","NoteData":"2021-03-26","Type":"Other","Title":"Modified"}]}}}