CVE-2020-12475

Name of the Vulnerable Software and Affected Versions TP-Link Omada Controller Software version 3.2.6

Description The issue allows Directory Traversal for reading arbitrary files via the com.tp link.eap.web.portal.PortalController.getAdvertiseFile function in the /opt/tplink/EAPController/lib/eap-web-3.2.6.jar file. This can be exploited through the getAdvertiseFile function.

Recommendations For TP-Link Omada Controller Software version 3.2.6, consider restricting access to the com.tp link.eap.web.portal.PortalController.getAdvertiseFile function until a patch is available. As a temporary workaround, avoid using the vulnerable function to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.