cbcvebase.

Tp-Link Eap Controller vulnerabilities

6 known vulnerabilities affecting tp-link/eap_controller.

Total CVEs
6
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH3MEDIUM2

Vulnerabilities

Page 1 of 1
CVE-2018-5393P2CRITICALCVSS 9.8≤ 2.5.3≥ 2.5.3, ≤ 2.5.32018-09-28
CVE-2018-5393 [CRITICAL] CWE-306 CVE-2018-5393: The TP-LINK EAP Controller is TP-LINK's software for remotely controlling wireless access point devi The TP-LINK EAP Controller is TP-LINK's software for remotely controlling wireless access point devices. It utilizes a Java remote method invocation (RMI) service for remote control. The RMI interface does not require any authentication before use, so it lacks user authentication for RMI service commands in EAP controller versions 2.5.3 and earlier.
nvd
CVE-2018-10168P3HIGHCVSS 8.8v2.5.4v2.6.02018-05-03
CVE-2018-10168 [HIGH] CWE-269 CVE-2018-10168: TP-Link EAP Controller and Omada Controller versions 2.5.4_Windows/2.6.0_Windows do not control priv TP-Link EAP Controller and Omada Controller versions 2.5.4_Windows/2.6.0_Windows do not control privileges for usage of the Web API, allowing a low-privilege user to make any request as an Administrator. This is fixed in version 2.6.1_Windows.
nvd
CVE-2018-10166P3HIGHCVSS 8.8v2.5.4v2.6.02018-05-03
CVE-2018-10166 [HIGH] CWE-352 CVE-2018-10166: The web management interface in the TP-Link EAP Controller and Omada Controller versions 2.5.4_Windo The web management interface in the TP-Link EAP Controller and Omada Controller versions 2.5.4_Windows/2.6.0_Windows does not have Anti-CSRF tokens in any forms. This would allow an attacker to submit authenticated requests when an authenticated user browses an attack-controlled domain. This is fixed in version 2.6.1_Windows.
nvd
CVE-2018-10167P3HIGHCVSS 7.5v2.5.4v2.6.02018-05-03
CVE-2018-10167 [HIGH] CWE-798 CVE-2018-10167: The web application backup file in the TP-Link EAP Controller and Omada Controller versions 2.5.4_Wi The web application backup file in the TP-Link EAP Controller and Omada Controller versions 2.5.4_Windows/2.6.0_Windows is encrypted with a hard-coded cryptographic key, so anyone who knows that key and the algorithm can decrypt it. A low-privilege user could decrypt and modify the backup file in order to elevate their privileges. This is fixed in ver
nvd
CVE-2018-10164P4MEDIUMCVSS 5.4v2.5.4v2.6.02018-05-03
CVE-2018-10164 [MEDIUM] CWE-79 CVE-2018-10164: Stored Cross-site scripting (XSS) vulnerability in the TP-Link EAP Controller and Omada Controller v Stored Cross-site scripting (XSS) vulnerability in the TP-Link EAP Controller and Omada Controller versions 2.5.4_Windows/2.6.0_Windows allows authenticated attackers to inject arbitrary web script or HTML via the implementation of portalPictureUpload functionality. This is fixed in version 2.6.1_Windows.
nvd
CVE-2018-10165P4MEDIUMCVSS 5.4v2.5.4v2.6.02018-05-03
CVE-2018-10165 [MEDIUM] CWE-79 CVE-2018-10165: Stored Cross-site scripting (XSS) vulnerability in the TP-Link EAP Controller and Omada Controller v Stored Cross-site scripting (XSS) vulnerability in the TP-Link EAP Controller and Omada Controller versions 2.5.4_Windows/2.6.0_Windows allows authenticated attackers to inject arbitrary web script or HTML via the userName parameter in the local user creation functionality. This is fixed in version 2.6.1_Windows.
nvd
Tp-Link Eap Controller vulnerabilities | cvebase