CVSS: 9.0EPSS: 0%CPEs: 76EXPL: 3CVE-2017-15618 – TP-Link Remote Command Injection
https://notcve.org/view.php?id=CVE-2017-15618
11 Jan 2018 — TP-Link WVR, WAR and ER devices allow remote authenticated administrators to execute arbitrary commands via command injection in the new-enable variable in the pptp_client.lua file. Los dispositivos TP-Link WVR, WAR y ER permiten que administradores autenticados remotos ejecuten comandos arbitrarios mediante inyección de comandos en la variable new-enable en el archivo pptp_client.lua. Many TP-Link products suffer from multiple authenticated remote command injection vulnerabilities. • https://packetstorm.news/files/id/145823 •
CVSS: 9.0EPSS: 0%CPEs: 76EXPL: 3CVE-2017-15624 – TP-Link Remote Command Injection
https://notcve.org/view.php?id=CVE-2017-15624
11 Jan 2018 — TP-Link WVR, WAR and ER devices allow remote authenticated administrators to execute arbitrary commands via command injection in the new-authtype variable in the pptp_server.lua file. Los dispositivos TP-Link WVR, WAR y ER permiten que administradores autenticados remotos ejecuten comandos arbitrarios mediante inyección de comandos en la variable new-authtype en el archivo pptp_server.lua. Many TP-Link products suffer from multiple authenticated remote command injection vulnerabilities. • https://packetstorm.news/files/id/145823 •
CVSS: 9.0EPSS: 0%CPEs: 76EXPL: 3CVE-2017-15621 – TP-Link Remote Command Injection
https://notcve.org/view.php?id=CVE-2017-15621
11 Jan 2018 — TP-Link WVR, WAR and ER devices allow remote authenticated administrators to execute arbitrary commands via command injection in the olmode variable in the interface_wan.lua file. Los dispositivos TP-Link WVR, WAR y ER permiten que administradores autenticados remotos ejecuten comandos arbitrarios mediante inyección de comandos en la variable olmode en el archivo interface_wan.lua. Many TP-Link products suffer from multiple authenticated remote command injection vulnerabilities. • https://packetstorm.news/files/id/145823 •
CVSS: 9.0EPSS: 0%CPEs: 76EXPL: 3CVE-2017-15625 – TP-Link Remote Command Injection
https://notcve.org/view.php?id=CVE-2017-15625
11 Jan 2018 — TP-Link WVR, WAR and ER devices allow remote authenticated administrators to execute arbitrary commands via command injection in the new-olmode variable in the pptp_client.lua file. Los dispositivos TP-Link WVR, WAR y ER permiten que administradores autenticados remotos ejecuten comandos arbitrarios mediante inyección de comandos en la variable new-olmode en el archivo pptp_client.lua. Many TP-Link products suffer from multiple authenticated remote command injection vulnerabilities. • https://packetstorm.news/files/id/145823 •
CVSS: 9.0EPSS: 0%CPEs: 76EXPL: 3CVE-2017-15615 – TP-Link Remote Command Injection
https://notcve.org/view.php?id=CVE-2017-15615
11 Jan 2018 — TP-Link WVR, WAR and ER devices allow remote authenticated administrators to execute arbitrary commands via command injection in the lcpechointerval variable in the pptp_client.lua file. Los dispositivos TP-Link WVR, WAR y ER permiten que administradores autenticados remotos ejecuten comandos arbitrarios mediante inyección de comandos en la variable lcpechointerval en el archivo pptp_client.lua. Many TP-Link products suffer from multiple authenticated remote command injection vulnerabilities. • https://packetstorm.news/files/id/145823 •
CVSS: 7.7EPSS: 0%CPEs: 4EXPL: 1CVE-2017-17746
https://notcve.org/view.php?id=CVE-2017-17746
20 Dec 2017 — Weak access control methods on the TP-Link TL-SG108E 1.0.0 allow any user on a NAT network with an authenticated administrator to access the device without entering user credentials. The authentication record is stored on the device; thus if an administrator authenticates from a NAT network, the authentication applies to the IP address of the NAT gateway, and any user behind that NAT gateway is also treated as authenticated. Métodos de control de acceso deficientes en TP-Link TL-SG108E 1.0.0 permiten que cu... • http://seclists.org/fulldisclosure/2017/Dec/67 • CWE-306: Missing Authentication for Critical Function •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 1CVE-2017-17745 – TP-Link TL-SG108E XSS / Weak Access Control
https://notcve.org/view.php?id=CVE-2017-17745
20 Dec 2017 — Cross-site scripting (XSS) vulnerability in system_name_set.cgi in TP-Link TL-SG108E 1.0.0 allows authenticated remote attackers to submit arbitrary java script via the 'sysName' parameter. Vulnerabilidad Cross-Site Scripting (XSS) en system_name_set.cgi en TP-Link TL-SG108E 1.0.0 permite que atacantes remotos envíen scripts java arbitrarios mediante el parámetro sysName. TP-Link TL-SG108E with firmware 1.0.0 Build 20160722 Rel.50167 suffers from cross site scripting and weak access control vulnerabilities. • https://packetstorm.news/files/id/145503 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 2CVE-2017-17747 – TP-Link TL-SG108E XSS / Weak Access Control
https://notcve.org/view.php?id=CVE-2017-17747
20 Dec 2017 — Weak access controls in the Device Logout functionality on the TP-Link TL-SG108E v1.0.0 allow remote attackers to call the logout functionality, triggering a denial of service condition. Controles de acceso débiles en la funcionalidad de cierre de sesión del dispositivo en TP-Link TL-SG108E v1.0.0 permiten a los atacantes remotos llamar a la funcionalidad de cierre de sesión, desencadenando una condición de denegación de servicio. TP-Link TL-SG108E with firmware 1.0.0 Build 20160722 Rel.50167 suffers from c... • https://packetstorm.news/files/id/145503 • CWE-306: Missing Authentication for Critical Function •
CVSS: 9.0EPSS: 0%CPEs: 30EXPL: 1CVE-2017-17758
https://notcve.org/view.php?id=CVE-2017-17758
19 Dec 2017 — TP-Link TL-WVR and TL-WAR devices allow remote authenticated users to execute arbitrary commands via shell metacharacters in the interface field of an admin/dhcps command to cgi-bin/luci, related to the zone_get_iface_bydev function in /usr/lib/lua/luci/controller/admin/dhcps.lua in uhttpd. Los dispositivos TL-WVR y TL-WAR de TP-Link permiten que usuarios autenticados remotos ejecuten comandos arbitrarios mediante metacaracteres shell en el campo interface de un comando admin/dhcps en cgi-bin/luci. Esto se ... • https://github.com/L1ZhaoXin/Router-Vulnerability-Research/blob/master/Tplink_LUCI_Dhcps_Authenticated_RCE_Record.txt • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.0EPSS: 0%CPEs: 30EXPL: 1CVE-2017-17757
https://notcve.org/view.php?id=CVE-2017-17757
19 Dec 2017 — TP-Link TL-WVR and TL-WAR devices allow remote authenticated users to execute arbitrary commands via shell metacharacters in the interface field of an admin/wportal command to cgi-bin/luci, related to the get_device_byif function in /usr/lib/lua/luci/controller/admin/wportal.lua in uhttpd. Los dispositivos TL-WVR y TL-WAR de TP-Link permiten que usuarios autenticados remotos ejecuten comandos arbitrarios mediante metacaracteres shell en el campo interface de un comando admin/wportal en cgi-bin/luci. Esto se... • https://github.com/L1ZhaoXin/Router-Vulnerability-Research/blob/master/Tplink_LUCI_Wechat_Authenticated_RCE_Record.txt • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •