PT-2018-9728 · Tp Link · Tp-Link Eap Controller+1

Published

2018-05-03

Updated

2018-06-12

CVE-2018-10166

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions: TP-Link EAP Controller and Omada Controller versions 2.5.4 Windows through 2.6.0 Windows

Description: The web management interface lacks Anti-CSRF tokens in forms, allowing an attacker to submit authenticated requests when an authenticated user visits a malicious domain.

Recommendations: For versions 2.5.4 Windows through 2.6.0 Windows, update to version 2.6.1 Windows to resolve the issue. As a temporary workaround, consider restricting access to the web management interface to minimize the risk of exploitation.

Exploit

Fix

CSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-352

Related Identifiers

CVE-2018-10166

Affected Products

Omada Controller

Tp-Link Eap Controller

PT-2018-9728 · Tp Link · Tp-Link Eap Controller+1

CVE-2018-10166

Weakness Enumeration

Related Identifiers

Affected Products

References · 4