CVE-2023-34354 LOW

CVE-2023-34354

Vendor Peplink
Product Surf SOHO HW1
Weakness CWE-80 · XSS · basic
Published October 11, 2023
Last update November 4, 2025

CVSS base score

3.4/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction Required
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:N/A:N

What the vulnerability does

01Description

A stored cross-site scripting (XSS) vulnerability exists in the upload_brand.cgi functionality of peplink Surf SOHO HW1 v6.3.5 (in QEMU). A specially crafted HTTP request can lead to execution of arbitrary javascript in another user's browser. An attacker can make an authenticated HTTP request to trigger this vulnerability.

Key dates

02Disclosure timeline

October 11, 2023 CVE published
November 4, 2025 Record updated