CVE-2018-10165

Name of the Vulnerable Software and Affected Versions: TP-Link EAP Controller and Omada Controller versions 2.5.4 Windows through 2.6.0 Windows

Description: A stored Cross-site scripting (XSS) issue allows authenticated attackers to inject arbitrary web script or HTML via the userName parameter in the local user creation functionality.

Recommendations: For versions 2.5.4 Windows through 2.6.0 Windows, update to version 2.6.1 Windows to resolve the issue. As a temporary workaround, consider restricting access to the local user creation functionality to minimize the risk of exploitation. Avoid using the userName parameter in the affected functionality until the issue is resolved.