CVE-2023-54327

Name of the Vulnerable Software and Affected Versions Tinycontrol LAN Controller version 1.58a

Description An authentication bypass allows unauthenticated attackers to change admin passwords. This is achieved by sending a crafted API request to the /stm.cgi endpoint with a specially crafted authentication parameter, disabling access controls and allowing modification of administrative credentials. The vulnerable parameter is the authentication parameter within the API request.

Recommendations Apply any available updates to address the authentication bypass. As a temporary workaround, restrict access to the /stm.cgi endpoint.