CVE-2018-10168
TP-Link EAP Controller CSRF / Hard-Coded Key / XSS
Severity Score
8.8
*CVSS v3
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
1
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
TP-Link EAP Controller and Omada Controller versions 2.5.4_Windows/2.6.0_Windows do not control privileges for usage of the Web API, allowing a low-privilege user to make any request as an Administrator. This is fixed in version 2.6.1_Windows.
TP-Link EAP Controller y Omada Controller en versiones 2.5.4_Windows/2.6.0_Windows no controlan los privilegios para el uso de la API web, lo que permite que un usuario con pocos privilegios realice cualquier petición como Administrador. Esto se ha solucionado en la versión 2.6.1_Windows.
TP-Link EAP suffers from hard-coded credential, cross site request forgery, cross site scripting, and other vulnerabilities.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2018-04-16 CVE Reserved
- 2018-05-03 CVE Published
- 2024-02-16 EPSS Updated
- 2024-08-05 CVE Updated
- 2024-08-05 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-269: Improper Privilege Management
CAPEC
References (2)
| URL | Tag | Source |
|---|---|---|
| http://www.securityfocus.com/bid/104094 | Third Party Advisory |
| URL | Date | SRC |
|---|---|---|
| https://www.coresecurity.com/advisories/tp-link-eap-controller-multiple-vulnerabilities | 2024-08-05 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Tp-link Search vendor "Tp-link" | Eap Controller Search vendor "Tp-link" for product "Eap Controller" | 2.5.4 Search vendor "Tp-link" for product "Eap Controller" and version "2.5.4" | windows |
Affected
| ||||||
| Tp-link Search vendor "Tp-link" | Eap Controller Search vendor "Tp-link" for product "Eap Controller" | 2.6.0 Search vendor "Tp-link" for product "Eap Controller" and version "2.6.0" | windows |
Affected
| ||||||