Jussi Vuokko

Name of the Vulnerable Software and Affected Versions: A-LINK WL54AP3 versions prior to 1.4.2-eng1 A-LINK WL54AP2 versions prior to 1.4.2-eng1 Description: The issue concerns multiple cross-site request forgery (CSRF) vulnerabilities in the management interface of the affected access points. These vulnerabilities allow remote attackers to hijack the authentication of administrators for specific requests. The requests in question can modify the network configuration via certain parameters to "goform/formWanTcpipSetup" or modify credentials via certain parameters to "goform/formPasswordSetup". Recommendations: For A-LINK WL54AP3 versions prior to 1.4.2-eng1, update to firmware version 1.4.2-eng1 or later. For A-LINK WL54AP2 versions prior to 1.4.2-eng1, update to firmware version 1.4.2-eng1 or later. As a temporary workaround, consider restricting access to the management interface to minimize the risk of exploitation. Avoid using the vulnerable parameters in the affected API endpoints until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: A-LINK WL54AP3 (affected versions not specified) A-LINK WL54AP2 (affected versions not specified) Description: The issue concerns the management interface of the affected access points, which has a blank default password for the admin account. This makes it easier for remote attackers to obtain access. Recommendations: For A-LINK WL54AP3, change the default admin password to a strong and unique password as soon as possible. For A-LINK WL54AP2, change the default admin password to a strong and unique password as soon as possible.