5 results (0.014 seconds)

CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 1

Stored Cross-site scripting (XSS) vulnerability in the TP-Link EAP Controller and Omada Controller versions 2.5.4_Windows/2.6.0_Windows allows authenticated attackers to inject arbitrary web script or HTML via the implementation of portalPictureUpload functionality. This is fixed in version 2.6.1_Windows. Vulnerabilidad Cross-Site Scripting (XSS) persistente en TP-Link EAP Controller y Omada Controller en versiones 2.5.4_Windows/2.6.0_Windows permite que atacantes autenticados inyecten scripts web o HTML arbitrarios mediante la implementación de la funcionalidad portalPictureUpload. Esto se ha solucionado en la versión 2.6.1_Windows. TP-Link EAP suffers from hard-coded credential, cross site request forgery, cross site scripting, and other vulnerabilities. • http://www.securityfocus.com/bid/104094 https://www.coresecurity.com/advisories/tp-link-eap-controller-multiple-vulnerabilities • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 1

Stored Cross-site scripting (XSS) vulnerability in the TP-Link EAP Controller and Omada Controller versions 2.5.4_Windows/2.6.0_Windows allows authenticated attackers to inject arbitrary web script or HTML via the userName parameter in the local user creation functionality. This is fixed in version 2.6.1_Windows. Vulnerabilidad Cross-Site Scripting (XSS) persistente en TP-Link EAP Controller y Omada Controller en versiones 2.5.4_Windows/2.6.0_Windows permite que atacantes autenticados inyecten scripts web o HTML arbitrarios mediante el parámetro userName en la funcionalidad de creación de usuarios locales. Esto se ha solucionado en la versión 2.6.1_Windows. TP-Link EAP suffers from hard-coded credential, cross site request forgery, cross site scripting, and other vulnerabilities. • http://www.securityfocus.com/bid/104094 https://www.coresecurity.com/advisories/tp-link-eap-controller-multiple-vulnerabilities • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 1

TP-Link EAP Controller and Omada Controller versions 2.5.4_Windows/2.6.0_Windows do not control privileges for usage of the Web API, allowing a low-privilege user to make any request as an Administrator. This is fixed in version 2.6.1_Windows. TP-Link EAP Controller y Omada Controller en versiones 2.5.4_Windows/2.6.0_Windows no controlan los privilegios para el uso de la API web, lo que permite que un usuario con pocos privilegios realice cualquier petición como Administrador. Esto se ha solucionado en la versión 2.6.1_Windows. TP-Link EAP suffers from hard-coded credential, cross site request forgery, cross site scripting, and other vulnerabilities. • http://www.securityfocus.com/bid/104094 https://www.coresecurity.com/advisories/tp-link-eap-controller-multiple-vulnerabilities • CWE-269: Improper Privilege Management •

CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 1

The web application backup file in the TP-Link EAP Controller and Omada Controller versions 2.5.4_Windows/2.6.0_Windows is encrypted with a hard-coded cryptographic key, so anyone who knows that key and the algorithm can decrypt it. A low-privilege user could decrypt and modify the backup file in order to elevate their privileges. This is fixed in version 2.6.1_Windows. El archivo de copia de seguridad de la aplicación web en TP-Link EAP Controller y Omada Controller en versiones 2.5.4_Windows/2.6.0_Windows está cifrado con una clave criptográfica embebida, por lo que cualquiera que conozca dicha clave y el algoritmo puede descifrarlo. Un usuario con pocos privilegios puede descifrar y modificar el archivo de copia de seguridad para elevar sus privilegios. • http://www.securityfocus.com/bid/104094 https://www.coresecurity.com/advisories/tp-link-eap-controller-multiple-vulnerabilities • CWE-798: Use of Hard-coded Credentials •

CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 1

The web management interface in the TP-Link EAP Controller and Omada Controller versions 2.5.4_Windows/2.6.0_Windows does not have Anti-CSRF tokens in any forms. This would allow an attacker to submit authenticated requests when an authenticated user browses an attack-controlled domain. This is fixed in version 2.6.1_Windows. La interfaz web de gestión en TP-Link EAP Controller y Omada Controller en versiones 2.5.4_Windows/2.6.0_Windows no tiene tokens Anti-CSRF en ningún formulario. Esto permitiría que un atacante envíe peticiones autenticadas cuando un usuario autenticado navega por un dominio controlado por un atacante. • http://www.securityfocus.com/bid/104094 https://www.coresecurity.com/advisories/tp-link-eap-controller-multiple-vulnerabilities • CWE-352: Cross-Site Request Forgery (CSRF) •