CVSS: 8.0EPSS: 0%CPEs: 2EXPL: 0CVE-2023-38588
https://notcve.org/view.php?id=CVE-2023-38588
Archer C3150 firmware versions prior to 'Archer C3150(JP)_V2_230511' allows a network-adjacent authenticated attacker to execute arbitrary OS commands. Las versiones de firmware de Archer C3150 anteriores a 'Archer C3150(JP)_V2_230511' permiten que un atacante autenticado adyacente a la red ejecute comandos arbitrarios del sistema operativo. • https://jvn.jp/en/vu/JVNVU99392903 https://www.tp-link.com/jp/support/download/archer-c3150/#Firmware • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 6.1EPSS: 0%CPEs: 10EXPL: 3CVE-2021-3275 – TP-Link Cross Site Scripting
https://notcve.org/view.php?id=CVE-2021-3275
Unauthenticated stored cross-site scripting (XSS) exists in multiple TP-Link products including WIFI Routers (Wireless AC routers), Access Points, ADSL + DSL Gateways and Routers, which affects TD-W9977v1, TL-WA801NDv5, TL-WA801Nv6, TL-WA802Nv5, and Archer C3150v2 devices through the improper validation of the hostname. Some of the pages including dhcp.htm, networkMap.htm, dhcpClient.htm, qsEdit.htm, and qsReview.htm and use this vulnerable hostname function (setDefaultHostname()) without sanitization. Se presenta una vulnerabilidad de tipo cross-site scripting (XSS) almacenado no autenticado en múltiples productos de TP-Link, incluyendo WIFI Routers (enrutadores Wireless AC), Access Points, ADSL + DSL Gateways and Routers, que afectan a dispositivos TD-W9977v1, TL-WA801NDv5, TL-WA801Nv6, TL-WA802Nv5, y Archer C3150v2, por medio de la comprobación inapropiada del nombre de host. Algunas de las páginas, incluyendo dhcp.htm, networkMap.htm, dhcpClient.htm, qsEdit.htm, y qsReview.htm, usan esta función vulnerable de nombre de host (setDefaultHostname()) sin saneamiento. Multiple TP-Link devices suffer from an unauthenticated persistent cross site scripting vulnerability. • http://packetstormsecurity.com/files/161989/TP-Link-Cross-Site-Scripting.html https://github.com/smriti548/CVE/blob/main/CVE-2021-3275 https://seclists.org/fulldisclosure/2021/Mar/67 https://www.tp-link.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •