CVSS: 5.9EPSS: 0%CPEs: 2EXPL: 1CVE-2021-38543
https://notcve.org/view.php?id=CVE-2021-38543
TP-Link UE330 USB splitter devices through 2021-08-09, in certain specific use cases in which the device supplies power to audio-output equipment, allow remote attackers to recover speech signals from an LED on the device, via a telescope and an electro-optical sensor, aka a "Glowworm" attack. We assume that the USB splitter supplies power to some speakers. The power indicator LED of the USB splitter is connected directly to the power line, as a result, the intensity of the USB splitter's power indicator LED is correlative to its power consumption. The sound played by the connected speakers affects the USB splitter's power consumption and as a result is also correlative to the light intensity of the LED. By analyzing measurements obtained from an electro-optical sensor directed at the power indicator LED of the USB splitter, we can recover the sound played by the connected speakers. • https://www.nassiben.com/glowworm-attack •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 1CVE-2021-28857
https://notcve.org/view.php?id=CVE-2021-28857
TP-Link's TL-WPA4220 4.0.2 Build 20180308 Rel.37064 username and password are sent via the cookie. TP-Link TL-WPA4220 Versión 4.0.2 Build 20180308 Rel.37064, un nombre de usuario y la contraseña son enviados por medio de la cookie • https://yunus-shn.medium.com/tp-links-tl-wpa4220-v4-0-cleartext-credentials-in-cookie-7516a2649394 • CWE-522: Insufficiently Protected Credentials •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 1CVE-2021-28858
https://notcve.org/view.php?id=CVE-2021-28858
TP-Link's TL-WPA4220 4.0.2 Build 20180308 Rel.37064 does not use SSL by default. Attacker on the local network can monitor traffic and capture the cookie and other sensitive information. TP-Link TL-WPA4220 versión 4.0.2 Build 20180308 Rel.37064 no usa SSL por defecto. El atacante en la red local puede monitorear el tráfico y capturar la cookie y otra información confidencial • https://yunus-shn.medium.com/tp-links-tl-wpa4220-v4-0-cleartext-transmission-of-sensitive-information-40357c778b84 • CWE-312: Cleartext Storage of Sensitive Information •
CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 1CVE-2021-31659
https://notcve.org/view.php?id=CVE-2021-31659
TP-Link TL-SG2005, TL-SG2008, etc. 1.0.0 Build 20180529 Rel.40524 is vulnerable to Cross Site Request Forgery (CSRF). All configuration information is placed in the URL, without any additional token authentication information. A malicious link opened by the switch administrator may cause the password of the switch to be modified and the configuration file to be tampered with. TP-Link TL-SG2005, TL-SG2008, etc. versiones 1.0.0 Build 20180529 Rel.40524 es vulnerable a taques de tipo Cross Site Request Forgery (CSRF). Toda la información de configuración se coloca en la URL, sin ninguna información adicional de autenticación de token. • http://tp-link.com https://github.com/liyansong2018/CVE/tree/main/2021/CVE-2021-31659 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.1EPSS: 0%CPEs: 4EXPL: 1CVE-2021-31658
https://notcve.org/view.php?id=CVE-2021-31658
TP-Link TL-SG2005, TL-SG2008, etc. 1.0.0 Build 20180529 Rel.40524 is affected by an Array index error. The interface that provides the "device description" function only judges the length of the received data, and does not filter special characters. This vulnerability will cause the application to crash, and all device configuration information will be erased. TP-Link TL-SG2005, TL-SG2008, etc. versiones 1.0.0 Build 20180529 Rel.40524 está afectado por un error de índice de matriz. La interfaz que proporciona la función "device description" sólo juzga la longitud de los datos recibidos, y no filtra los caracteres especiales. • http://tp-link.com https://github.com/liyansong2018/CVE/tree/main/2021/CVE-2021-31658 • CWE-129: Improper Validation of Array Index •