CVSS: 4.9EPSS: 0%CPEs: 2EXPL: 1CVE-2023-27126
https://notcve.org/view.php?id=CVE-2023-27126
06 Jun 2023 — The AES Key-IV pair used by the TP-Link TAPO C200 camera V3 (EU) on firmware version 1.1.22 Build 220725 is reused across all cameras. An attacker with physical access to a camera is able to extract and decrypt sensitive data containing the Wifi password and the TP-LINK account credential of the victim. • http://tapo.com • CWE-522: Insufficiently Protected Credentials •
CVSS: 6.7EPSS: 0%CPEs: 2EXPL: 2CVE-2023-31756
https://notcve.org/view.php?id=CVE-2023-31756
19 May 2023 — A command injection vulnerability exists in the administrative web portal in TP-Link Archer VR1600V devices running firmware Versions <= 0.1.0. 0.9.1 v5006.0 Build 220518 Rel.32480n which allows remote attackers, authenticated to the administrative web portal as an administrator user to open an operating system level shell via the 'X_TP_IfName' parameter. • https://github.com/StanleyJobsonAU/LongBow • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.0EPSS: 0%CPEs: 3EXPL: 1CVE-2023-31700
https://notcve.org/view.php?id=CVE-2023-31700
17 May 2023 — TP-Link TL-WPA4530 KIT V2 (EU)_170406 and V2 (EU)_161115 is vulnerable to Command Injection via _httpRpmPlcDeviceAdd. • https://github.com/FirmRec/IoT-Vulns/blob/main/tp-link/postPlcJson/report.md • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 9.0EPSS: 0%CPEs: 3EXPL: 1CVE-2023-31701
https://notcve.org/view.php?id=CVE-2023-31701
17 May 2023 — TP-Link TL-WPA4530 KIT V2 (EU)_170406 and V2 (EU)_161115 is vulnerable to Command Injection via _httpRpmPlcDeviceRemove. • https://github.com/FirmRec/IoT-Vulns/blob/main/tp-link/postPlcJson/report.md • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2023-2646 – TP-Link Archer C7v2 GET Request Parameter denial of service
https://notcve.org/view.php?id=CVE-2023-2646
11 May 2023 — A vulnerability has been found in TP-Link Archer C7v2 v2_en_us_180114 and classified as problematic. Affected by this vulnerability is an unknown functionality of the component GET Request Parameter Handler. The manipulation leads to denial of service. The attack can only be done within the local network. The associated identifier of this vulnerability is VDB-228775. • https://vuldb.com/?ctiid.228775 • CWE-404: Improper Resource Shutdown or Release •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2023-27359 – TP-Link AX1800 hotplugd Firewall Rule Race Condition Vulnerability
https://notcve.org/view.php?id=CVE-2023-27359
24 Apr 2023 — TP-Link AX1800 hotplugd Firewall Rule Race Condition Vulnerability. This vulnerability allows remote attackers to gain access to LAN-side services on affected installations of TP-Link Archer AX21 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the hotplugd daemon. The issue results from firewall rule handling that allows an attacker access to resources that should be available to the LAN interface only. • https://www.zerodayinitiative.com/advisories/ZDI-23-452 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2023-28368
https://notcve.org/view.php?id=CVE-2023-28368
11 Apr 2023 — TP-Link L2 switch T2600G-28SQ firmware versions prior to 'T2600G-28SQ(UN)_V1_1.0.6 Build 20230227' uses vulnerable SSH host keys. A fake device may be prepared to spoof the affected device with the vulnerable host key.If the administrator may be tricked to login to the fake device, the credential information for the affected device may be obtained. • https://jvn.jp/en/jp/JVN62420378 • CWE-1391: Use of Weak Credentials •
CVSS: 7.8EPSS: 2%CPEs: 2EXPL: 3CVE-2022-37255 – Tapo C310 RTSP server v1.3.0 - Unauthorised Video Stream Access
https://notcve.org/view.php?id=CVE-2022-37255
28 Mar 2023 — TP-Link Tapo C310 1.3.0 devices allow access to the RTSP video feed via credentials of User --- and Password TPL075526460603. Tapo C310 RTSP server version 1.3.0 suffers from an unauthorized video stream access vulnerability. • https://packetstorm.news/files/id/171540 • CWE-798: Use of Hard-coded Credentials •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 1CVE-2023-27078
https://notcve.org/view.php?id=CVE-2023-27078
23 Mar 2023 — A command injection issue was found in TP-Link MR3020 v.1_150921 that allows a remote attacker to execute arbitrary commands via a crafted request to the tftp endpoint. • https://github.com/B2eFly/Router/blob/main/TPLINK/MR3020/1.md • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 8.8EPSS: 10%CPEs: 2EXPL: 6CVE-2023-1389 – TP-Link Archer AX-21 Command Injection Vulnerability
https://notcve.org/view.php?id=CVE-2023-1389
15 Mar 2023 — TP-Link Archer AX21 (AX1800) firmware versions before 1.1.4 Build 20230219 contained a command injection vulnerability in the country form of the /cgi-bin/luci;stok=/locale endpoint on the web management interface. Specifically, the country parameter of the write operation was not sanitized before being used in a call to popen(), allowing an unauthenticated attacker to inject commands, which would be run as root, with a simple POST request. This vulnerability allows network-adjacent attackers to execute arb... • https://packetstorm.news/files/id/174131 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •