James Mclean

**Name of the Vulnerable Software and Affected Versions** TP-Link TL-SG108E version 1.0.0 **Description** A cross-site scripting (XSS) issue exists, allowing authenticated remote attackers to submit arbitrary JavaScript via the `sysName` parameter in the system name set.cgi file. **Recommendations** For TP-Link TL-SG108E version 1.0.0, avoid using the `sysName` parameter in the system name set.cgi file until a fix is available. As a temporary workaround, consider restricting access to the system name set.cgi file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** TP-Link TL-SG108E version 1.0.0 **Description** The issue concerns weak access control methods. Specifically, if an administrator authenticates from a NAT network, the authentication applies to the IP address of the NAT gateway. As a result, any user behind that NAT gateway is also treated as authenticated, allowing them to access the device without entering user credentials. **Recommendations** For TP-Link TL-SG108E version 1.0.0, consider restricting access to the device from NAT networks or implementing additional authentication measures to prevent unauthorized access. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TP-Link TL-SG108E version 1.0.0 **Description** The issue is related to weak access controls in the Device Logout functionality, allowing remote attackers to trigger a denial of service condition by calling the logout functionality. **Recommendations** For TP-Link TL-SG108E version 1.0.0, consider restricting access to the Device Logout functionality as a temporary workaround until a patch is available.