The default configuration of the TP-Link 8840T router enables web-based administration on the WAN interface, which allows remote attackers to establish an HTTP connection and possibly have unspecified other impact via unknown vectors.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | 8840t | - |
Directory traversal vulnerability in the web-based management feature on the TP-LINK TL-WR841N router with firmware 3.13.9 build 120201 Rel.54965n and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the PATH_INFO to the help/ URI.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-22,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr841n | - |
| tp-link | tl-wr841n_firmware | * |
Directory traversal vulnerability in the web-based management interface on the TP-LINK TL-WR841N router with firmware 3.13.9 build 120201 Rel.54965n and earlier allows remote attackers to read arbitrary files via the URL parameter.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-22,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr841n_firmware | 3.13.9 |
| tp-link | tl-wr841n | - |
Multiple cross-site scripting (XSS) vulnerabilities in the TP-LINK TL-WR841N router with firmware 3.13.9 Build 120201 Rel.54965n and earlier allow remote administrators to inject arbitrary web script or HTML via the (1) username or (2) pwd parameter to userRpm/NoipDdnsRpm.htm.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-79,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr841n | - |
| tp-link | tl-wr841n_firmware | * |
A Security Bypass vulnerability exists in TP-LINK IP Cameras TL-SC 3130, TL-SC 3130G, 3171G, 4171G, and 3130 1.6.18P12 due to default hard-coded credentials for the administrative Web interface, which could let a malicious user obtain unauthorized access to CGI files.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | 3.9 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-798,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-sc_3130_firmware | * |
| tp-link | tl-sc_3171g_firmware | * |
| tp-link | tl-sc_4171g_firmware | * |
| tp-link | tl-sc_3130g_firmware | * |
A Command Injection vulnerability exists in the ap parameter to the /cgi-bin/mft/wireless_mft.cgi file in TP-Link IP Cameras TL-SC 3130, TL-SC 3130G, 3171G. and 4171G 1.6.18P12s, which could let a malicious user execute arbitrary code.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-78,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-sc_3171g_firmware | * |
| tp-link | tl-sc_4171g_firmware | * |
| tp-link | tl-sc_3130g_firmware | * |
cgi-bin/admin/servetest in TP-Link IP Cameras TL-SC3130, TL-SC3130G, TL-SC3171, TL-SC3171G, and possibly other models before beta firmware LM.1.6.18P12_sign6 allows remote attackers to execute arbitrary commands via shell metacharacters in (1) the ServerName parameter and (2) other unspecified parameters.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-78,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | lm_firmware | * |
| tp-link | tl-sc3130 | - |
| tp-link | tl-sc3130g | - |
| tp-link | tl-sc3171 | - |
| tp-link | tl-sc3171g | - |
TP-Link IP Cameras TL-SC3130, TL-SC3130G, TL-SC3171, TL-SC3171G, and possibly other models before beta firmware LM.1.6.18P12_sign6 have an empty password for the hardcoded "qmik" account, which allows remote attackers to obtain administrative access via a TELNET session.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-255,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | lm_firmware | * |
| tp-link | tl-sc3130 | - |
| tp-link | tl-sc3130g | - |
| tp-link | tl-sc3171 | - |
| tp-link | tl-sc3171g | - |
Unrestricted file upload vulnerability in cgi-bin/uploadfile in TP-Link IP Cameras TL-SC3130, TL-SC3130G, TL-SC3171, TL-SC3171G, and possibly other models before beta firmware LM.1.6.18P12_sign6, allows remote attackers to upload arbitrary files, then accessing it via a direct request to the file in the mnt/mtd directory.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | lm_firmware | * |
| tp-link | tl-sc3130 | - |
| tp-link | tl-sc3130g | - |
| tp-link | tl-sc3171 | - |
| tp-link | tl-sc3171g | - |
cgi-bin/firmwareupgrade in TP-Link IP Cameras TL-SC3130, TL-SC3130G, TL-SC3171, TL-SC3171G, and possibly other models before beta firmware LM.1.6.18P12_sign6 allows remote attackers to modify the firmware revision via a "preset" action.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | lm_firmware | * |
| tp-link | tl-sc3130 | - |
| tp-link | tl-sc3130g | - |
| tp-link | tl-sc3171 | - |
| tp-link | tl-sc3171g | - |
Multiple cross-site request forgery (CSRF) vulnerabilities on the TP-LINK WR1043N router with firmware TL-WR1043ND_V1_120405 allow remote attackers to hijack the authentication of administrators for requests that (1) enable FTP access (aka "FTP directory traversal") to /tmp via the shareEntire parameter to userRpm/NasFtpCfgRpm.htm, (2) change the FTP administrative password via the nas_admin_pwd parameter to userRpm/NasUserAdvRpm.htm, (3) enable FTP on the WAN interface via the internetA parameter to userRpm/NasFtpCfgRpm.htm, (4) launch the FTP service via the startFtp parameter to userRpm/NasFtpCfgRpm.htm, or (5) enable or disable bandwidth limits via the QoSCtrl parameter to userRpm/QoSCfgRpm.htm.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-352,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | firmware | tl-wr1043nd_v1_120405 |
TP-LINK TL-WR1043ND V1_120405 devices contain an unspecified denial of service vulnerability.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr1043nd_firmware | v1_120405 |
The TP-Link IP Cameras TL-SC3171, TL-SC3130, TL-SC3130G, TL-SC3171G, and possibly other models before beta firmware LM.1.6.18P12_sign6, does not properly restrict access to certain administrative functions, which allows remote attackers to (1) cause a denial of service (device reboot) via a request to cgi-bin/reboot or (2) cause a denial of service (reboot and reset to factory defaults) via a request to cgi-bin/hardfactorydefault.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | lm_firmware | * |
| tp-link | tl-sc3130 | - |
| tp-link | tl-sc3130g | - |
| tp-link | tl-sc3171 | - |
| tp-link | tl-sc3171g | - |
Symlink Traversal vulnerability in TP-LINK TL-WDR4300 and TL-1043ND..
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-22,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wdr4300_firmware | - |
| tp-link | tl-1043nd_firmware | - |
TP-Link TL-WDR4300 version 3.13.31 has multiple CSRF vulnerabilities.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-352,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wdr4300_firmware | 3.13.31 |
Cross-site scripting (XSS) vulnerability in Allegro RomPager before 4.51, as used on the ZyXEL P660HW-D1, Huawei MT882, Sitecom WL-174, TP-LINK TD-8816, and D-Link DSL-2640R and DSL-2641R, when the "forbidden author header" protection mechanism is bypassed, allows remote attackers to inject arbitrary web script or HTML by requesting a nonexistent URI in conjunction with a crafted HTTP Referer header that is not properly handled in a 404 page. NOTE: there is no CVE for a "URL redirection" issue that some sources list separately.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-79,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | td-8816 | - |
| sitecom | wl-174 | - |
| allegrosoft | rompager | * |
| huawei | mt882 | - |
| dlink | dsl-2640r | - |
| dlink | dsl-2641r | - |
| zyxel | p-660hw_d1 | - |
Cross-site scripting (XSS) vulnerability in the DHCP clients page in the TP-LINK N750 Wireless Dual Band Gigabit Router (TL-WDR4300) with firmware before 140916 allows remote attackers to inject arbitrary web script or HTML via the hostname in a DHCP request.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-79,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wdr4300 | - |
| tp-link | tl-wdr4300_firmware | * |
The web server in the TP-LINK N750 Wireless Dual Band Gigabit Router (TL-WDR4300) with firmware before 140916 allows remote attackers to cause a denial of service (crash) via a long header in a GET request.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-399,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wdr4300 | - |
| tp-link | tl-wdr4300_firmware | * |
TP-Link TL-WR740N 4 with firmware 3.17.0 Build 140520, 3.16.6 Build 130529, and 3.16.4 Build 130205 allows remote attackers to cause a denial of service (httpd crash) via vectors involving a "new" value in the isNew parameter to PingIframeRpm.htm.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-19,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr740n_firmware | 3.16.4 |
| tp-link | tl-wr740n_firmware | 3.17.0 |
| tp-link | tl-wr740n_firmware | 3.16.6 |
| tp-link | tl-wr740n | 4 |
Cross-site request forgery (CSRF) vulnerability in the administration console in TP-Link TL-WR840N (V1) router with firmware before 3.13.27 build 141120 allows remote attackers to hijack the authentication of administrators for requests that change router settings via a configuration file import.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-352,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr840n_firmware | 3.13.27 |
Directory traversal vulnerability in TP-LINK Archer C5 (1.2) with firmware before 150317, C7 (2.0) with firmware before 150304, and C8 (1.0) with firmware before 150316, Archer C9 (1.0), TL-WDR3500 (1.0), TL-WDR3600 (1.0), and TL-WDR4300 (1.0) with firmware before 150302, TL-WR740N (5.0) and TL-WR741ND (5.0) with firmware before 150312, and TL-WR841N (9.0), TL-WR841N (10.0), TL-WR841ND (9.0), and TL-WR841ND (10.0) with firmware before 150310 allows remote attackers to read arbitrary files via a .. (dot dot) in the PATH_INFO to login/.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | 3.9 | 3.6 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-22,CWE-22,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | archer_c7_(2.0)_firmware | * |
| tp-link | tl-wr841n_(9.0)_firmware | * |
| tp-link | archer_c8_(1.0)_firmware | * |
| tp-link | tl-wr740n_(5.0)_firmware | * |
| tp-link | tl-wr841n_(10.0)_firmware | * |
| tp-link | tl-wdr3600_(1.0)_firmware | * |
| tp-link | tl-wr741nd_(5.0) | - |
| tp-link | archer_c9_(1.0)_firmware | * |
| tp-link | tl-wdr4300_(1.0)_firmware | * |
| tp-link | tl-wdr3500_(1.0)_firmware | * |
| tp-link | tl-wr841nd_(10.0)_firmware | 150104 |
| tp-link | tl-wr741nd_(5.0)_firmware | * |
| tp-link | archer_c5_(1.2)_firmware | * |
| tp-link | tl-wr841nd_(9.0)_firmware | * |
TP-LINK lost control of two domains, www.tplinklogin.net and tplinkextender.net. Please note that these domains are physically printed on many of the devices.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-254,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tp-link | - |
TP-Link Archer CR-700 1.0.6 devices have an XSS vulnerability that can be introduced into the admin account through a DHCP request, allowing the attacker to steal the cookie information, which contains the base64 encoded username and password.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-79,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | archer_cr700_firmware | 1.0.6 |
On TP-Link NC250 devices with firmware through 1.2.1 build 170515, anyone can view video and audio without authentication via an rtsp://admin@yourip:554/h264_hd.sdp URL.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.5 | MEDIUM | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | 2.8 | 3.6 |
CVSS 2.0
Severity: LOW
Problem Type: CWE-287,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | nc250_firmware | * |
passwd_recovery.lua on the TP-Link Archer C9(UN)_V2_160517 allows an attacker to reset the admin password by leveraging a predictable random number generator seed. This is fixed in C9(UN)_V2_170511.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-335,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | archer_c9_(2.0)_firmware | 160517 |
Multiple stack-based buffer overflows in TP-Link WR940N WiFi routers with hardware version 4 allow remote authenticated users to execute arbitrary code via the (1) ping_addr parameter to PingIframeRpm.htm or (2) dnsserver2 parameter to WanStaticIpV6CfgRpm.htm.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | wr940n_firmware | - |
Cross-site scripting (XSS) vulnerability in the Wireless MAC Filtering page in TP-LINK TL-MR3220 wireless routers allows remote attackers to inject arbitrary web script or HTML via the Description field.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-79,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-mr3220_firmware | - |
TP-Link WVR, WAR and ER devices allow remote authenticated administrators to execute arbitrary commands via command injection in the new-interface variable in the cmxddns.lua file.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | wvr300_firmware | - |
| tp-link | war1750l_firmware | - |
| tp-link | war450_firmware | - |
| tp-link | wvr1300g_firmware | - |
| tp-link | wvr4300l_firmware | - |
| tp-link | r483_firmware | - |
| tp-link | r473gp-ac_firmware | - |
| tp-link | er5110g_firmware | - |
| tp-link | r473p-ac_firmware | - |
| tp-link | war900l_firmware | - |
| tp-link | r4299g_firmware | - |
| tp-link | wvr1300l_firmware | - |
| tp-link | wvr1750l_firmware | - |
| tp-link | wvr900l_firmware | - |
| tp-link | r4149g_firmware | - |
| tp-link | war302_firmware | - |
| tp-link | er5120g_firmware | - |
| tp-link | r478+_firmware | - |
| tp-link | r4239g_firmware | - |
| tp-link | wvr900g_firmware | 3.0_170306 |
| tp-link | r473g_firmware | - |
| tp-link | wvr450l_firmware | 1.0161125 |
| tp-link | r488_firmware | - |
| tp-link | r478g+_firmware | - |
| tp-link | war458_firmware | - |
| tp-link | war2600l_firmware | - |
| tp-link | war458l_firmware | - |
| tp-link | r483g_firmware | - |
| tp-link | war450l_firmware | - |
| tp-link | war1300l_firmware | - |
| tp-link | er5520g_firmware | - |
| tp-link | wvr302_firmware | - |
| tp-link | er5510g_firmware | - |
| tp-link | r473_firmware | - |
| tp-link | wvr458l_firmware | - |
| tp-link | r478_firmware | - |
| tp-link | wvr2600l_firmware | - |
| tp-link | wvr450_firmware | - |
TP-Link WVR, WAR and ER devices allow remote authenticated administrators to execute arbitrary commands via command injection in the new-outif variable in the pptp_client.lua file.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | wvr300_firmware | - |
| tp-link | war1750l_firmware | - |
| tp-link | war450_firmware | - |
| tp-link | wvr1300g_firmware | - |
| tp-link | wvr4300l_firmware | - |
| tp-link | r483_firmware | - |
| tp-link | r473gp-ac_firmware | - |
| tp-link | er5110g_firmware | - |
| tp-link | r473p-ac_firmware | - |
| tp-link | war900l_firmware | - |
| tp-link | r4299g_firmware | - |
| tp-link | wvr1300l_firmware | - |
| tp-link | wvr1750l_firmware | - |
| tp-link | wvr900l_firmware | - |
| tp-link | r4149g_firmware | - |
| tp-link | war302_firmware | - |
| tp-link | er5120g_firmware | - |
| tp-link | r478+_firmware | - |
| tp-link | r4239g_firmware | - |
| tp-link | wvr900g_firmware | 3.0_170306 |
| tp-link | r473g_firmware | - |
| tp-link | wvr450l_firmware | 1.0161125 |
| tp-link | r488_firmware | - |
| tp-link | r478g+_firmware | - |
| tp-link | war458_firmware | - |
| tp-link | war2600l_firmware | - |
| tp-link | war458l_firmware | - |
| tp-link | r483g_firmware | - |
| tp-link | war450l_firmware | - |
| tp-link | war1300l_firmware | - |
| tp-link | er5520g_firmware | - |
| tp-link | wvr302_firmware | - |
| tp-link | er5510g_firmware | - |
| tp-link | r473_firmware | - |
| tp-link | wvr458l_firmware | - |
| tp-link | r478_firmware | - |
| tp-link | wvr2600l_firmware | - |
| tp-link | wvr450_firmware | - |
TP-Link WVR, WAR and ER devices allow remote authenticated administrators to execute arbitrary commands via command injection in the lcpechointerval variable in the pptp_client.lua file.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | wvr300_firmware | - |
| tp-link | war1750l_firmware | - |
| tp-link | war450_firmware | - |
| tp-link | wvr1300g_firmware | - |
| tp-link | wvr4300l_firmware | - |
| tp-link | r483_firmware | - |
| tp-link | r473gp-ac_firmware | - |
| tp-link | er5110g_firmware | - |
| tp-link | r473p-ac_firmware | - |
| tp-link | war900l_firmware | - |
| tp-link | r4299g_firmware | - |
| tp-link | wvr1300l_firmware | - |
| tp-link | wvr1750l_firmware | - |
| tp-link | wvr900l_firmware | - |
| tp-link | r4149g_firmware | - |
| tp-link | war302_firmware | - |
| tp-link | er5120g_firmware | - |
| tp-link | r478+_firmware | - |
| tp-link | r4239g_firmware | - |
| tp-link | wvr900g_firmware | 3.0_170306 |
| tp-link | r473g_firmware | - |
| tp-link | wvr450l_firmware | 1.0161125 |
| tp-link | r488_firmware | - |
| tp-link | r478g+_firmware | - |
| tp-link | war458_firmware | - |
| tp-link | war2600l_firmware | - |
| tp-link | war458l_firmware | - |
| tp-link | r483g_firmware | - |
| tp-link | war450l_firmware | - |
| tp-link | war1300l_firmware | - |
| tp-link | er5520g_firmware | - |
| tp-link | wvr302_firmware | - |
| tp-link | er5510g_firmware | - |
| tp-link | r473_firmware | - |
| tp-link | wvr458l_firmware | - |
| tp-link | r478_firmware | - |
| tp-link | wvr2600l_firmware | - |
| tp-link | wvr450_firmware | - |
TP-Link WVR, WAR and ER devices allow remote authenticated administrators to execute arbitrary commands via command injection in the new-interface variable in the phddns.lua file.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | wvr300_firmware | - |
| tp-link | war1750l_firmware | - |
| tp-link | war450_firmware | - |
| tp-link | wvr1300g_firmware | - |
| tp-link | wvr4300l_firmware | - |
| tp-link | r483_firmware | - |
| tp-link | r473gp-ac_firmware | - |
| tp-link | er5110g_firmware | - |
| tp-link | r473p-ac_firmware | - |
| tp-link | war900l_firmware | - |
| tp-link | r4299g_firmware | - |
| tp-link | wvr1300l_firmware | - |
| tp-link | wvr1750l_firmware | - |
| tp-link | wvr900l_firmware | - |
| tp-link | r4149g_firmware | - |
| tp-link | war302_firmware | - |
| tp-link | er5120g_firmware | - |
| tp-link | r478+_firmware | - |
| tp-link | r4239g_firmware | - |
| tp-link | wvr900g_firmware | 3.0_170306 |
| tp-link | r473g_firmware | - |
| tp-link | wvr450l_firmware | 1.0161125 |
| tp-link | r488_firmware | - |
| tp-link | r478g+_firmware | - |
| tp-link | war458_firmware | - |
| tp-link | war2600l_firmware | - |
| tp-link | war458l_firmware | - |
| tp-link | r483g_firmware | - |
| tp-link | war450l_firmware | - |
| tp-link | war1300l_firmware | - |
| tp-link | er5520g_firmware | - |
| tp-link | wvr302_firmware | - |
| tp-link | er5510g_firmware | - |
| tp-link | r473_firmware | - |
| tp-link | wvr458l_firmware | - |
| tp-link | r478_firmware | - |
| tp-link | wvr2600l_firmware | - |
| tp-link | wvr450_firmware | - |
TP-Link WVR, WAR and ER devices allow remote authenticated administrators to execute arbitrary commands via command injection in the iface variable in the interface_wan.lua file.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | wvr300_firmware | - |
| tp-link | war1750l_firmware | - |
| tp-link | war450_firmware | - |
| tp-link | wvr1300g_firmware | - |
| tp-link | wvr4300l_firmware | - |
| tp-link | r483_firmware | - |
| tp-link | r473gp-ac_firmware | - |
| tp-link | er5110g_firmware | - |
| tp-link | r473p-ac_firmware | - |
| tp-link | war900l_firmware | - |
| tp-link | r4299g_firmware | - |
| tp-link | wvr1300l_firmware | - |
| tp-link | wvr1750l_firmware | - |
| tp-link | wvr900l_firmware | - |
| tp-link | r4149g_firmware | - |
| tp-link | war302_firmware | - |
| tp-link | er5120g_firmware | - |
| tp-link | r478+_firmware | - |
| tp-link | r4239g_firmware | - |
| tp-link | wvr900g_firmware | 3.0_170306 |
| tp-link | r473g_firmware | - |
| tp-link | wvr450l_firmware | 1.0161125 |
| tp-link | r488_firmware | - |
| tp-link | r478g+_firmware | - |
| tp-link | war458_firmware | - |
| tp-link | war2600l_firmware | - |
| tp-link | war458l_firmware | - |
| tp-link | r483g_firmware | - |
| tp-link | war450l_firmware | - |
| tp-link | war1300l_firmware | - |
| tp-link | er5520g_firmware | - |
| tp-link | wvr302_firmware | - |
| tp-link | er5510g_firmware | - |
| tp-link | r473_firmware | - |
| tp-link | wvr458l_firmware | - |
| tp-link | r478_firmware | - |
| tp-link | wvr2600l_firmware | - |
| tp-link | wvr450_firmware | - |
TP-Link WVR, WAR and ER devices allow remote authenticated administrators to execute arbitrary commands via command injection in the new-enable variable in the pptp_client.lua file.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | wvr300_firmware | - |
| tp-link | war1750l_firmware | - |
| tp-link | war450_firmware | - |
| tp-link | wvr1300g_firmware | - |
| tp-link | wvr4300l_firmware | - |
| tp-link | r483_firmware | - |
| tp-link | r473gp-ac_firmware | - |
| tp-link | er5110g_firmware | - |
| tp-link | r473p-ac_firmware | - |
| tp-link | war900l_firmware | - |
| tp-link | r4299g_firmware | - |
| tp-link | wvr1300l_firmware | - |
| tp-link | wvr1750l_firmware | - |
| tp-link | wvr900l_firmware | - |
| tp-link | r4149g_firmware | - |
| tp-link | war302_firmware | - |
| tp-link | er5120g_firmware | - |
| tp-link | r478+_firmware | - |
| tp-link | r4239g_firmware | - |
| tp-link | wvr900g_firmware | 3.0_170306 |
| tp-link | r473g_firmware | - |
| tp-link | wvr450l_firmware | 1.0161125 |
| tp-link | r488_firmware | - |
| tp-link | r478g+_firmware | - |
| tp-link | war458_firmware | - |
| tp-link | war2600l_firmware | - |
| tp-link | war458l_firmware | - |
| tp-link | r483g_firmware | - |
| tp-link | war450l_firmware | - |
| tp-link | war1300l_firmware | - |
| tp-link | er5520g_firmware | - |
| tp-link | wvr302_firmware | - |
| tp-link | er5510g_firmware | - |
| tp-link | r473_firmware | - |
| tp-link | wvr458l_firmware | - |
| tp-link | r478_firmware | - |
| tp-link | wvr2600l_firmware | - |
| tp-link | wvr450_firmware | - |
TP-Link WVR, WAR and ER devices allow remote authenticated administrators to execute arbitrary commands via command injection in the pptphellointerval variable in the pptp_client.lua file.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | wvr300_firmware | - |
| tp-link | war1750l_firmware | - |
| tp-link | war450_firmware | - |
| tp-link | wvr1300g_firmware | - |
| tp-link | wvr4300l_firmware | - |
| tp-link | r483_firmware | - |
| tp-link | r473gp-ac_firmware | - |
| tp-link | er5110g_firmware | - |
| tp-link | r473p-ac_firmware | - |
| tp-link | war900l_firmware | - |
| tp-link | r4299g_firmware | - |
| tp-link | wvr1300l_firmware | - |
| tp-link | wvr1750l_firmware | - |
| tp-link | wvr900l_firmware | - |
| tp-link | r4149g_firmware | - |
| tp-link | war302_firmware | - |
| tp-link | er5120g_firmware | - |
| tp-link | r478+_firmware | - |
| tp-link | r4239g_firmware | - |
| tp-link | wvr900g_firmware | 3.0_170306 |
| tp-link | r473g_firmware | - |
| tp-link | wvr450l_firmware | 1.0161125 |
| tp-link | r488_firmware | - |
| tp-link | r478g+_firmware | - |
| tp-link | war458_firmware | - |
| tp-link | war2600l_firmware | - |
| tp-link | war458l_firmware | - |
| tp-link | r483g_firmware | - |
| tp-link | war450l_firmware | - |
| tp-link | war1300l_firmware | - |
| tp-link | er5520g_firmware | - |
| tp-link | wvr302_firmware | - |
| tp-link | er5510g_firmware | - |
| tp-link | r473_firmware | - |
| tp-link | wvr458l_firmware | - |
| tp-link | r478_firmware | - |
| tp-link | wvr2600l_firmware | - |
| tp-link | wvr450_firmware | - |
TP-Link WVR, WAR and ER devices allow remote authenticated administrators to execute arbitrary commands via command injection in the new-zone variable in the ipmac_import.lua file.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | wvr300_firmware | - |
| tp-link | war1750l_firmware | - |
| tp-link | war450_firmware | - |
| tp-link | wvr1300g_firmware | - |
| tp-link | wvr4300l_firmware | - |
| tp-link | r483_firmware | - |
| tp-link | r473gp-ac_firmware | - |
| tp-link | er5110g_firmware | - |
| tp-link | r473p-ac_firmware | - |
| tp-link | war900l_firmware | - |
| tp-link | r4299g_firmware | - |
| tp-link | wvr1300l_firmware | - |
| tp-link | wvr1750l_firmware | - |
| tp-link | wvr900l_firmware | - |
| tp-link | r4149g_firmware | - |
| tp-link | war302_firmware | - |
| tp-link | er5120g_firmware | - |
| tp-link | r478+_firmware | - |
| tp-link | r4239g_firmware | - |
| tp-link | wvr900g_firmware | 3.0_170306 |
| tp-link | r473g_firmware | - |
| tp-link | wvr450l_firmware | 1.0161125 |
| tp-link | r488_firmware | - |
| tp-link | r478g+_firmware | - |
| tp-link | war458_firmware | - |
| tp-link | war2600l_firmware | - |
| tp-link | war458l_firmware | - |
| tp-link | r483g_firmware | - |
| tp-link | war450l_firmware | - |
| tp-link | war1300l_firmware | - |
| tp-link | er5520g_firmware | - |
| tp-link | wvr302_firmware | - |
| tp-link | er5510g_firmware | - |
| tp-link | r473_firmware | - |
| tp-link | wvr458l_firmware | - |
| tp-link | r478_firmware | - |
| tp-link | wvr2600l_firmware | - |
| tp-link | wvr450_firmware | - |
TP-Link WVR, WAR and ER devices allow remote authenticated administrators to execute arbitrary commands via command injection in the olmode variable in the interface_wan.lua file.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | wvr300_firmware | - |
| tp-link | war1750l_firmware | - |
| tp-link | war450_firmware | - |
| tp-link | wvr1300g_firmware | - |
| tp-link | wvr4300l_firmware | - |
| tp-link | r483_firmware | - |
| tp-link | r473gp-ac_firmware | - |
| tp-link | er5110g_firmware | - |
| tp-link | r473p-ac_firmware | - |
| tp-link | war900l_firmware | - |
| tp-link | r4299g_firmware | - |
| tp-link | wvr1300l_firmware | - |
| tp-link | wvr1750l_firmware | - |
| tp-link | wvr900l_firmware | - |
| tp-link | r4149g_firmware | - |
| tp-link | war302_firmware | - |
| tp-link | er5120g_firmware | - |
| tp-link | r478+_firmware | - |
| tp-link | r4239g_firmware | - |
| tp-link | wvr900g_firmware | 3.0_170306 |
| tp-link | r473g_firmware | - |
| tp-link | wvr450l_firmware | 1.0161125 |
| tp-link | r488_firmware | - |
| tp-link | r478g+_firmware | - |
| tp-link | war458_firmware | - |
| tp-link | war2600l_firmware | - |
| tp-link | war458l_firmware | - |
| tp-link | r483g_firmware | - |
| tp-link | war450l_firmware | - |
| tp-link | war1300l_firmware | - |
| tp-link | er5520g_firmware | - |
| tp-link | wvr302_firmware | - |
| tp-link | er5510g_firmware | - |
| tp-link | r473_firmware | - |
| tp-link | wvr458l_firmware | - |
| tp-link | r478_firmware | - |
| tp-link | wvr2600l_firmware | - |
| tp-link | wvr450_firmware | - |
TP-Link WVR, WAR and ER devices allow remote authenticated administrators to execute arbitrary commands via command injection in the new-mppeencryption variable in the pptp_client.lua file.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | wvr300_firmware | - |
| tp-link | war1750l_firmware | - |
| tp-link | war450_firmware | - |
| tp-link | wvr1300g_firmware | - |
| tp-link | wvr4300l_firmware | - |
| tp-link | r483_firmware | - |
| tp-link | r473gp-ac_firmware | - |
| tp-link | er5110g_firmware | - |
| tp-link | r473p-ac_firmware | - |
| tp-link | war900l_firmware | - |
| tp-link | r4299g_firmware | - |
| tp-link | wvr1300l_firmware | - |
| tp-link | wvr1750l_firmware | - |
| tp-link | wvr900l_firmware | - |
| tp-link | r4149g_firmware | - |
| tp-link | war302_firmware | - |
| tp-link | er5120g_firmware | - |
| tp-link | r478+_firmware | - |
| tp-link | r4239g_firmware | - |
| tp-link | wvr900g_firmware | 3.0_170306 |
| tp-link | r473g_firmware | - |
| tp-link | wvr450l_firmware | 1.0161125 |
| tp-link | r488_firmware | - |
| tp-link | r478g+_firmware | - |
| tp-link | war458_firmware | - |
| tp-link | war2600l_firmware | - |
| tp-link | war458l_firmware | - |
| tp-link | r483g_firmware | - |
| tp-link | war450l_firmware | - |
| tp-link | war1300l_firmware | - |
| tp-link | er5520g_firmware | - |
| tp-link | wvr302_firmware | - |
| tp-link | er5510g_firmware | - |
| tp-link | r473_firmware | - |
| tp-link | wvr458l_firmware | - |
| tp-link | r478_firmware | - |
| tp-link | wvr2600l_firmware | - |
| tp-link | wvr450_firmware | - |
TP-Link WVR, WAR and ER devices allow remote authenticated administrators to execute arbitrary commands via command injection in the new-enable variable in the pptp_server.lua file.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | wvr300_firmware | - |
| tp-link | war1750l_firmware | - |
| tp-link | war450_firmware | - |
| tp-link | wvr1300g_firmware | - |
| tp-link | wvr4300l_firmware | - |
| tp-link | r483_firmware | - |
| tp-link | r473gp-ac_firmware | - |
| tp-link | er5110g_firmware | - |
| tp-link | r473p-ac_firmware | - |
| tp-link | war900l_firmware | - |
| tp-link | r4299g_firmware | - |
| tp-link | wvr1300l_firmware | - |
| tp-link | wvr1750l_firmware | - |
| tp-link | wvr900l_firmware | - |
| tp-link | r4149g_firmware | - |
| tp-link | war302_firmware | - |
| tp-link | er5120g_firmware | - |
| tp-link | r478+_firmware | - |
| tp-link | r4239g_firmware | - |
| tp-link | wvr900g_firmware | 3.0_170306 |
| tp-link | r473g_firmware | - |
| tp-link | wvr450l_firmware | 1.0161125 |
| tp-link | r488_firmware | - |
| tp-link | r478g+_firmware | - |
| tp-link | war458_firmware | - |
| tp-link | war2600l_firmware | - |
| tp-link | war458l_firmware | - |
| tp-link | r483g_firmware | - |
| tp-link | war450l_firmware | - |
| tp-link | war1300l_firmware | - |
| tp-link | er5520g_firmware | - |
| tp-link | wvr302_firmware | - |
| tp-link | er5510g_firmware | - |
| tp-link | r473_firmware | - |
| tp-link | wvr458l_firmware | - |
| tp-link | r478_firmware | - |
| tp-link | wvr2600l_firmware | - |
| tp-link | wvr450_firmware | - |
TP-Link WVR, WAR and ER devices allow remote authenticated administrators to execute arbitrary commands via command injection in the new-authtype variable in the pptp_server.lua file.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | wvr300_firmware | - |
| tp-link | war1750l_firmware | - |
| tp-link | war450_firmware | - |
| tp-link | wvr1300g_firmware | - |
| tp-link | wvr4300l_firmware | - |
| tp-link | r483_firmware | - |
| tp-link | r473gp-ac_firmware | - |
| tp-link | er5110g_firmware | - |
| tp-link | r473p-ac_firmware | - |
| tp-link | war900l_firmware | - |
| tp-link | r4299g_firmware | - |
| tp-link | wvr1300l_firmware | - |
| tp-link | wvr1750l_firmware | - |
| tp-link | wvr900l_firmware | - |
| tp-link | r4149g_firmware | - |
| tp-link | war302_firmware | - |
| tp-link | er5120g_firmware | - |
| tp-link | r478+_firmware | - |
| tp-link | r4239g_firmware | - |
| tp-link | wvr900g_firmware | 3.0_170306 |
| tp-link | r473g_firmware | - |
| tp-link | wvr450l_firmware | 1.0161125 |
| tp-link | r488_firmware | - |
| tp-link | r478g+_firmware | - |
| tp-link | war458_firmware | - |
| tp-link | war2600l_firmware | - |
| tp-link | war458l_firmware | - |
| tp-link | r483g_firmware | - |
| tp-link | war450l_firmware | - |
| tp-link | war1300l_firmware | - |
| tp-link | er5520g_firmware | - |
| tp-link | wvr302_firmware | - |
| tp-link | er5510g_firmware | - |
| tp-link | r473_firmware | - |
| tp-link | wvr458l_firmware | - |
| tp-link | r478_firmware | - |
| tp-link | wvr2600l_firmware | - |
| tp-link | wvr450_firmware | - |
TP-Link WVR, WAR and ER devices allow remote authenticated administrators to execute arbitrary commands via command injection in the new-olmode variable in the pptp_client.lua file.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | wvr300_firmware | - |
| tp-link | war1750l_firmware | - |
| tp-link | war450_firmware | - |
| tp-link | wvr1300g_firmware | - |
| tp-link | wvr4300l_firmware | - |
| tp-link | r483_firmware | - |
| tp-link | r473gp-ac_firmware | - |
| tp-link | er5110g_firmware | - |
| tp-link | r473p-ac_firmware | - |
| tp-link | war900l_firmware | - |
| tp-link | r4299g_firmware | - |
| tp-link | wvr1300l_firmware | - |
| tp-link | wvr1750l_firmware | - |
| tp-link | wvr900l_firmware | - |
| tp-link | r4149g_firmware | - |
| tp-link | war302_firmware | - |
| tp-link | er5120g_firmware | - |
| tp-link | r478+_firmware | - |
| tp-link | r4239g_firmware | - |
| tp-link | wvr900g_firmware | 3.0_170306 |
| tp-link | r473g_firmware | - |
| tp-link | wvr450l_firmware | 1.0161125 |
| tp-link | r488_firmware | - |
| tp-link | r478g+_firmware | - |
| tp-link | war458_firmware | - |
| tp-link | war2600l_firmware | - |
| tp-link | war458l_firmware | - |
| tp-link | r483g_firmware | - |
| tp-link | war450l_firmware | - |
| tp-link | war1300l_firmware | - |
| tp-link | er5520g_firmware | - |
| tp-link | wvr302_firmware | - |
| tp-link | er5510g_firmware | - |
| tp-link | r473_firmware | - |
| tp-link | wvr458l_firmware | - |
| tp-link | r478_firmware | - |
| tp-link | wvr2600l_firmware | - |
| tp-link | wvr450_firmware | - |
TP-Link WVR, WAR and ER devices allow remote authenticated administrators to execute arbitrary commands via command injection in the new-bindif variable in the pptp_server.lua file.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | wvr300_firmware | - |
| tp-link | war1750l_firmware | - |
| tp-link | war450_firmware | - |
| tp-link | wvr1300g_firmware | - |
| tp-link | wvr4300l_firmware | - |
| tp-link | r483_firmware | - |
| tp-link | r473gp-ac_firmware | - |
| tp-link | er5110g_firmware | - |
| tp-link | r473p-ac_firmware | - |
| tp-link | war900l_firmware | - |
| tp-link | r4299g_firmware | - |
| tp-link | wvr1300l_firmware | - |
| tp-link | wvr1750l_firmware | - |
| tp-link | wvr900l_firmware | - |
| tp-link | r4149g_firmware | - |
| tp-link | war302_firmware | - |
| tp-link | er5120g_firmware | - |
| tp-link | r478+_firmware | - |
| tp-link | r4239g_firmware | - |
| tp-link | wvr900g_firmware | 3.0_170306 |
| tp-link | r473g_firmware | - |
| tp-link | wvr450l_firmware | 1.0161125 |
| tp-link | r488_firmware | - |
| tp-link | r478g+_firmware | - |
| tp-link | war458_firmware | - |
| tp-link | war2600l_firmware | - |
| tp-link | war458l_firmware | - |
| tp-link | r483g_firmware | - |
| tp-link | war450l_firmware | - |
| tp-link | war1300l_firmware | - |
| tp-link | er5520g_firmware | - |
| tp-link | wvr302_firmware | - |
| tp-link | er5510g_firmware | - |
| tp-link | r473_firmware | - |
| tp-link | wvr458l_firmware | - |
| tp-link | r478_firmware | - |
| tp-link | wvr2600l_firmware | - |
| tp-link | wvr450_firmware | - |
TP-Link WVR, WAR and ER devices allow remote authenticated administrators to execute arbitrary commands via command injection in the new-pns variable in the pptp_client.lua file.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | wvr300_firmware | - |
| tp-link | war1750l_firmware | - |
| tp-link | war450_firmware | - |
| tp-link | wvr1300g_firmware | - |
| tp-link | wvr4300l_firmware | - |
| tp-link | r483_firmware | - |
| tp-link | r473gp-ac_firmware | - |
| tp-link | er5110g_firmware | - |
| tp-link | r473p-ac_firmware | - |
| tp-link | war900l_firmware | - |
| tp-link | r4299g_firmware | - |
| tp-link | wvr1300l_firmware | - |
| tp-link | wvr1750l_firmware | - |
| tp-link | wvr900l_firmware | - |
| tp-link | r4149g_firmware | - |
| tp-link | war302_firmware | - |
| tp-link | er5120g_firmware | - |
| tp-link | r478+_firmware | - |
| tp-link | r4239g_firmware | - |
| tp-link | wvr900g_firmware | 3.0_170306 |
| tp-link | r473g_firmware | - |
| tp-link | wvr450l_firmware | 1.0161125 |
| tp-link | r488_firmware | - |
| tp-link | r478g+_firmware | - |
| tp-link | war458_firmware | - |
| tp-link | war2600l_firmware | - |
| tp-link | war458l_firmware | - |
| tp-link | r483g_firmware | - |
| tp-link | war450l_firmware | - |
| tp-link | war1300l_firmware | - |
| tp-link | er5520g_firmware | - |
| tp-link | wvr302_firmware | - |
| tp-link | er5510g_firmware | - |
| tp-link | r473_firmware | - |
| tp-link | wvr458l_firmware | - |
| tp-link | r478_firmware | - |
| tp-link | wvr2600l_firmware | - |
| tp-link | wvr450_firmware | - |
TP-Link WVR, WAR and ER devices allow remote authenticated administrators to execute arbitrary commands via command injection in the lcpechointerval variable in the pptp_server.lua file.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | wvr300_firmware | - |
| tp-link | war1750l_firmware | - |
| tp-link | war450_firmware | - |
| tp-link | wvr1300g_firmware | - |
| tp-link | wvr4300l_firmware | - |
| tp-link | r483_firmware | - |
| tp-link | r473gp-ac_firmware | - |
| tp-link | er5110g_firmware | - |
| tp-link | r473p-ac_firmware | - |
| tp-link | war900l_firmware | - |
| tp-link | r4299g_firmware | - |
| tp-link | wvr1300l_firmware | - |
| tp-link | wvr1750l_firmware | - |
| tp-link | wvr900l_firmware | - |
| tp-link | r4149g_firmware | - |
| tp-link | war302_firmware | - |
| tp-link | er5120g_firmware | - |
| tp-link | r478+_firmware | - |
| tp-link | r4239g_firmware | - |
| tp-link | wvr900g_firmware | 3.0_170306 |
| tp-link | r473g_firmware | - |
| tp-link | wvr450l_firmware | 1.0161125 |
| tp-link | r488_firmware | - |
| tp-link | r478g+_firmware | - |
| tp-link | war458_firmware | - |
| tp-link | war2600l_firmware | - |
| tp-link | war458l_firmware | - |
| tp-link | r483g_firmware | - |
| tp-link | war450l_firmware | - |
| tp-link | war1300l_firmware | - |
| tp-link | er5520g_firmware | - |
| tp-link | wvr302_firmware | - |
| tp-link | er5510g_firmware | - |
| tp-link | r473_firmware | - |
| tp-link | wvr458l_firmware | - |
| tp-link | r478_firmware | - |
| tp-link | wvr2600l_firmware | - |
| tp-link | wvr450_firmware | - |
TP-Link WVR, WAR and ER devices allow remote authenticated administrators to execute arbitrary commands via command injection in the new-tunnelname variable in the pptp_client.lua file.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | wvr300_firmware | - |
| tp-link | war1750l_firmware | - |
| tp-link | war450_firmware | - |
| tp-link | wvr1300g_firmware | - |
| tp-link | wvr4300l_firmware | - |
| tp-link | r483_firmware | - |
| tp-link | r473gp-ac_firmware | - |
| tp-link | er5110g_firmware | - |
| tp-link | r473p-ac_firmware | - |
| tp-link | war900l_firmware | - |
| tp-link | r4299g_firmware | - |
| tp-link | wvr1300l_firmware | - |
| tp-link | wvr1750l_firmware | - |
| tp-link | wvr900l_firmware | - |
| tp-link | r4149g_firmware | - |
| tp-link | war302_firmware | - |
| tp-link | er5120g_firmware | - |
| tp-link | r478+_firmware | - |
| tp-link | r4239g_firmware | - |
| tp-link | wvr900g_firmware | 3.0_170306 |
| tp-link | r473g_firmware | - |
| tp-link | wvr450l_firmware | 1.0161125 |
| tp-link | r488_firmware | - |
| tp-link | r478g+_firmware | - |
| tp-link | war458_firmware | - |
| tp-link | war2600l_firmware | - |
| tp-link | war458l_firmware | - |
| tp-link | r483g_firmware | - |
| tp-link | war450l_firmware | - |
| tp-link | war1300l_firmware | - |
| tp-link | er5520g_firmware | - |
| tp-link | wvr302_firmware | - |
| tp-link | er5510g_firmware | - |
| tp-link | r473_firmware | - |
| tp-link | wvr458l_firmware | - |
| tp-link | r478_firmware | - |
| tp-link | wvr2600l_firmware | - |
| tp-link | wvr450_firmware | - |
TP-Link WVR, WAR and ER devices allow remote authenticated administrators to execute arbitrary commands via command injection in the new-remotesubnet variable in the pptp_client.lua file.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | wvr300_firmware | - |
| tp-link | war1750l_firmware | - |
| tp-link | war450_firmware | - |
| tp-link | wvr1300g_firmware | - |
| tp-link | wvr4300l_firmware | - |
| tp-link | r483_firmware | - |
| tp-link | r473gp-ac_firmware | - |
| tp-link | er5110g_firmware | - |
| tp-link | r473p-ac_firmware | - |
| tp-link | war900l_firmware | - |
| tp-link | r4299g_firmware | - |
| tp-link | wvr1300l_firmware | - |
| tp-link | wvr1750l_firmware | - |
| tp-link | wvr900l_firmware | - |
| tp-link | r4149g_firmware | - |
| tp-link | war302_firmware | - |
| tp-link | er5120g_firmware | - |
| tp-link | r478+_firmware | - |
| tp-link | r4239g_firmware | - |
| tp-link | wvr900g_firmware | 3.0_170306 |
| tp-link | r473g_firmware | - |
| tp-link | wvr450l_firmware | 1.0161125 |
| tp-link | r488_firmware | - |
| tp-link | r478g+_firmware | - |
| tp-link | war458_firmware | - |
| tp-link | war2600l_firmware | - |
| tp-link | war458l_firmware | - |
| tp-link | r483g_firmware | - |
| tp-link | war450l_firmware | - |
| tp-link | war1300l_firmware | - |
| tp-link | er5520g_firmware | - |
| tp-link | wvr302_firmware | - |
| tp-link | er5510g_firmware | - |
| tp-link | r473_firmware | - |
| tp-link | wvr458l_firmware | - |
| tp-link | r478_firmware | - |
| tp-link | wvr2600l_firmware | - |
| tp-link | wvr450_firmware | - |
TP-Link WVR, WAR and ER devices allow remote authenticated administrators to execute arbitrary commands via command injection in the new-workmode variable in the pptp_client.lua file.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | wvr300_firmware | - |
| tp-link | war1750l_firmware | - |
| tp-link | war450_firmware | - |
| tp-link | wvr1300g_firmware | - |
| tp-link | wvr4300l_firmware | - |
| tp-link | r483_firmware | - |
| tp-link | r473gp-ac_firmware | - |
| tp-link | er5110g_firmware | - |
| tp-link | r473p-ac_firmware | - |
| tp-link | war900l_firmware | - |
| tp-link | r4299g_firmware | - |
| tp-link | wvr1300l_firmware | - |
| tp-link | wvr1750l_firmware | - |
| tp-link | wvr900l_firmware | - |
| tp-link | r4149g_firmware | - |
| tp-link | war302_firmware | - |
| tp-link | er5120g_firmware | - |
| tp-link | r478+_firmware | - |
| tp-link | r4239g_firmware | - |
| tp-link | wvr900g_firmware | 3.0_170306 |
| tp-link | r473g_firmware | - |
| tp-link | wvr450l_firmware | 1.0161125 |
| tp-link | r488_firmware | - |
| tp-link | r478g+_firmware | - |
| tp-link | war458_firmware | - |
| tp-link | war2600l_firmware | - |
| tp-link | war458l_firmware | - |
| tp-link | r483g_firmware | - |
| tp-link | war450l_firmware | - |
| tp-link | war1300l_firmware | - |
| tp-link | er5520g_firmware | - |
| tp-link | wvr302_firmware | - |
| tp-link | er5510g_firmware | - |
| tp-link | r473_firmware | - |
| tp-link | wvr458l_firmware | - |
| tp-link | r478_firmware | - |
| tp-link | wvr2600l_firmware | - |
| tp-link | wvr450_firmware | - |
TP-Link WVR, WAR and ER devices allow remote authenticated administrators to execute arbitrary commands via command injection in the new-mppeencryption variable in the pptp_server.lua file.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | wvr300_firmware | - |
| tp-link | war1750l_firmware | - |
| tp-link | war450_firmware | - |
| tp-link | wvr1300g_firmware | - |
| tp-link | wvr4300l_firmware | - |
| tp-link | r483_firmware | - |
| tp-link | r473gp-ac_firmware | - |
| tp-link | er5110g_firmware | - |
| tp-link | r473p-ac_firmware | - |
| tp-link | war900l_firmware | - |
| tp-link | r4299g_firmware | - |
| tp-link | wvr1300l_firmware | - |
| tp-link | wvr1750l_firmware | - |
| tp-link | wvr900l_firmware | - |
| tp-link | r4149g_firmware | - |
| tp-link | war302_firmware | - |
| tp-link | er5120g_firmware | - |
| tp-link | r478+_firmware | - |
| tp-link | r4239g_firmware | - |
| tp-link | wvr900g_firmware | 3.0_170306 |
| tp-link | r473g_firmware | - |
| tp-link | wvr450l_firmware | 1.0161125 |
| tp-link | r488_firmware | - |
| tp-link | r478g+_firmware | - |
| tp-link | war458_firmware | - |
| tp-link | war2600l_firmware | - |
| tp-link | war458l_firmware | - |
| tp-link | r483g_firmware | - |
| tp-link | war450l_firmware | - |
| tp-link | war1300l_firmware | - |
| tp-link | er5520g_firmware | - |
| tp-link | wvr302_firmware | - |
| tp-link | er5510g_firmware | - |
| tp-link | r473_firmware | - |
| tp-link | wvr458l_firmware | - |
| tp-link | r478_firmware | - |
| tp-link | wvr2600l_firmware | - |
| tp-link | wvr450_firmware | - |
TP-Link WVR, WAR and ER devices allow remote authenticated administrators to execute arbitrary commands via command injection in the new-ipgroup variable in the session_limits.lua file.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | wvr300_firmware | - |
| tp-link | war1750l_firmware | - |
| tp-link | war450_firmware | - |
| tp-link | wvr1300g_firmware | - |
| tp-link | wvr4300l_firmware | - |
| tp-link | r483_firmware | - |
| tp-link | r473gp-ac_firmware | - |
| tp-link | er5110g_firmware | - |
| tp-link | r473p-ac_firmware | - |
| tp-link | war900l_firmware | - |
| tp-link | r4299g_firmware | - |
| tp-link | wvr1300l_firmware | - |
| tp-link | wvr1750l_firmware | - |
| tp-link | wvr900l_firmware | - |
| tp-link | r4149g_firmware | - |
| tp-link | war302_firmware | - |
| tp-link | er5120g_firmware | - |
| tp-link | r478+_firmware | - |
| tp-link | r4239g_firmware | - |
| tp-link | wvr900g_firmware | 3.0_170306 |
| tp-link | r473g_firmware | - |
| tp-link | wvr450l_firmware | 1.0161125 |
| tp-link | r488_firmware | - |
| tp-link | r478g+_firmware | - |
| tp-link | war458_firmware | - |
| tp-link | war2600l_firmware | - |
| tp-link | war458l_firmware | - |
| tp-link | r483g_firmware | - |
| tp-link | war450l_firmware | - |
| tp-link | war1300l_firmware | - |
| tp-link | er5520g_firmware | - |
| tp-link | wvr302_firmware | - |
| tp-link | er5510g_firmware | - |
| tp-link | r473_firmware | - |
| tp-link | wvr458l_firmware | - |
| tp-link | r478_firmware | - |
| tp-link | wvr2600l_firmware | - |
| tp-link | wvr450_firmware | - |
TP-Link WVR, WAR and ER devices allow remote authenticated administrators to execute arbitrary commands via command injection in the name variable in the wportal.lua file.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | wvr300_firmware | - |
| tp-link | war1750l_firmware | - |
| tp-link | war450_firmware | - |
| tp-link | wvr1300g_firmware | - |
| tp-link | wvr4300l_firmware | - |
| tp-link | r483_firmware | - |
| tp-link | r473gp-ac_firmware | - |
| tp-link | er5110g_firmware | - |
| tp-link | r473p-ac_firmware | - |
| tp-link | war900l_firmware | - |
| tp-link | r4299g_firmware | - |
| tp-link | wvr1300l_firmware | - |
| tp-link | wvr1750l_firmware | - |
| tp-link | wvr900l_firmware | - |
| tp-link | r4149g_firmware | - |
| tp-link | war302_firmware | - |
| tp-link | er5120g_firmware | - |
| tp-link | r478+_firmware | - |
| tp-link | r4239g_firmware | - |
| tp-link | wvr900g_firmware | 3.0_170306 |
| tp-link | r473g_firmware | - |
| tp-link | wvr450l_firmware | 1.0161125 |
| tp-link | r488_firmware | - |
| tp-link | r478g+_firmware | - |
| tp-link | war458_firmware | - |
| tp-link | war2600l_firmware | - |
| tp-link | war458l_firmware | - |
| tp-link | r483g_firmware | - |
| tp-link | war450l_firmware | - |
| tp-link | war1300l_firmware | - |
| tp-link | er5520g_firmware | - |
| tp-link | wvr302_firmware | - |
| tp-link | er5510g_firmware | - |
| tp-link | r473_firmware | - |
| tp-link | wvr458l_firmware | - |
| tp-link | r478_firmware | - |
| tp-link | wvr2600l_firmware | - |
| tp-link | wvr450_firmware | - |
TP-Link WVR, WAR and ER devices allow remote authenticated administrators to execute arbitrary commands via command injection in the max_conn variable in the session_limits.lua file.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | wvr300_firmware | - |
| tp-link | war1750l_firmware | - |
| tp-link | war450_firmware | - |
| tp-link | wvr1300g_firmware | - |
| tp-link | wvr4300l_firmware | - |
| tp-link | r483_firmware | - |
| tp-link | r473gp-ac_firmware | - |
| tp-link | er5110g_firmware | - |
| tp-link | r473p-ac_firmware | - |
| tp-link | war900l_firmware | - |
| tp-link | r4299g_firmware | - |
| tp-link | wvr1300l_firmware | - |
| tp-link | wvr1750l_firmware | - |
| tp-link | wvr900l_firmware | - |
| tp-link | r4149g_firmware | - |
| tp-link | war302_firmware | - |
| tp-link | er5120g_firmware | - |
| tp-link | r478+_firmware | - |
| tp-link | r4239g_firmware | - |
| tp-link | wvr900g_firmware | 3.0_170306 |
| tp-link | r473g_firmware | - |
| tp-link | wvr450l_firmware | 1.0161125 |
| tp-link | r488_firmware | - |
| tp-link | r478g+_firmware | - |
| tp-link | war458_firmware | - |
| tp-link | war2600l_firmware | - |
| tp-link | war458l_firmware | - |
| tp-link | r483g_firmware | - |
| tp-link | war450l_firmware | - |
| tp-link | war1300l_firmware | - |
| tp-link | er5520g_firmware | - |
| tp-link | wvr302_firmware | - |
| tp-link | er5510g_firmware | - |
| tp-link | r473_firmware | - |
| tp-link | wvr458l_firmware | - |
| tp-link | r478_firmware | - |
| tp-link | wvr2600l_firmware | - |
| tp-link | wvr450_firmware | - |
TP-Link WVR, WAR and ER devices allow remote authenticated administrators to execute arbitrary commands via command injection in the new-time variable in the webfilter.lua file.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | wvr300_firmware | - |
| tp-link | war1750l_firmware | - |
| tp-link | war450_firmware | - |
| tp-link | wvr1300g_firmware | - |
| tp-link | wvr4300l_firmware | - |
| tp-link | r483_firmware | - |
| tp-link | r473gp-ac_firmware | - |
| tp-link | er5110g_firmware | - |
| tp-link | r473p-ac_firmware | - |
| tp-link | war900l_firmware | - |
| tp-link | r4299g_firmware | - |
| tp-link | wvr1300l_firmware | - |
| tp-link | wvr1750l_firmware | - |
| tp-link | wvr900l_firmware | - |
| tp-link | r4149g_firmware | - |
| tp-link | war302_firmware | - |
| tp-link | er5120g_firmware | - |
| tp-link | r478+_firmware | - |
| tp-link | r4239g_firmware | - |
| tp-link | wvr900g_firmware | 3.0_170306 |
| tp-link | r473g_firmware | - |
| tp-link | wvr450l_firmware | 1.0161125 |
| tp-link | r488_firmware | - |
| tp-link | r478g+_firmware | - |
| tp-link | war458_firmware | - |
| tp-link | war2600l_firmware | - |
| tp-link | war458l_firmware | - |
| tp-link | r483g_firmware | - |
| tp-link | war450l_firmware | - |
| tp-link | war1300l_firmware | - |
| tp-link | er5520g_firmware | - |
| tp-link | wvr302_firmware | - |
| tp-link | er5510g_firmware | - |
| tp-link | r473_firmware | - |
| tp-link | wvr458l_firmware | - |
| tp-link | r478_firmware | - |
| tp-link | wvr2600l_firmware | - |
| tp-link | wvr450_firmware | - |
TP-Link WVR, WAR and ER devices allow remote authenticated administrators to execute arbitrary commands via command injection in the pptphellointerval variable in the pptp_server.lua file.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | wvr300_firmware | - |
| tp-link | war1750l_firmware | - |
| tp-link | war450_firmware | - |
| tp-link | wvr1300g_firmware | - |
| tp-link | wvr4300l_firmware | - |
| tp-link | r483_firmware | - |
| tp-link | r473gp-ac_firmware | - |
| tp-link | er5110g_firmware | - |
| tp-link | r473p-ac_firmware | - |
| tp-link | war900l_firmware | - |
| tp-link | r4299g_firmware | - |
| tp-link | wvr1300l_firmware | - |
| tp-link | wvr1750l_firmware | - |
| tp-link | wvr900l_firmware | - |
| tp-link | r4149g_firmware | - |
| tp-link | war302_firmware | - |
| tp-link | er5120g_firmware | - |
| tp-link | r478+_firmware | - |
| tp-link | r4239g_firmware | - |
| tp-link | wvr900g_firmware | 3.0_170306 |
| tp-link | r473g_firmware | - |
| tp-link | wvr450l_firmware | 1.0161125 |
| tp-link | r488_firmware | - |
| tp-link | r478g+_firmware | - |
| tp-link | war458_firmware | - |
| tp-link | war2600l_firmware | - |
| tp-link | war458l_firmware | - |
| tp-link | r483g_firmware | - |
| tp-link | war450l_firmware | - |
| tp-link | war1300l_firmware | - |
| tp-link | er5520g_firmware | - |
| tp-link | wvr302_firmware | - |
| tp-link | er5510g_firmware | - |
| tp-link | r473_firmware | - |
| tp-link | wvr458l_firmware | - |
| tp-link | r478_firmware | - |
| tp-link | wvr2600l_firmware | - |
| tp-link | wvr450_firmware | - |
TP-Link TL-WVR, TL-WAR, TL-ER, and TL-R devices allow remote authenticated users to execute arbitrary commands via shell metacharacters in the iface field of an admin/diagnostic command to cgi-bin/luci, related to the zone_get_effect_devices function in /usr/lib/lua/luci/controller/admin/diagnostic.lua in uhttpd.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-78,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-er6510g_firmware | - |
| tp-link | tl-wvr458p_firmware | - |
| tp-link | tl-r478+_firmware | - |
| tp-link | tl-er5520g_firmware | - |
| tp-link | tl-wvr900l_firmware | - |
| tp-link | tl-war302_firmware | - |
| tp-link | tl-war458_firmware | - |
| tp-link | tl-r483_firmware | - |
| tp-link | tl-wvr458_firmware | - |
| tp-link | tl-er6520g_firmware | - |
| tp-link | tl-wvr302_firmware | - |
| tp-link | tl-r479p-ac_firmware | - |
| tp-link | tl-wvr458l_firmware | - |
| tp-link | tl-war2600l_firmware | - |
| tp-link | tl-r488_firmware | - |
| tp-link | tl-r473p-ac_firmware | - |
| tp-link | tl-war900l_firmware | - |
| tp-link | tl-r479gpe-ac_firmware | - |
| tp-link | tl-er5120g_firmware | - |
| tp-link | tl-er7520g_firmware | - |
| tp-link | tl-r479gp-ac_firmware | - |
| tp-link | tl-r478g_firmware | - |
| tp-link | tl-er5510g_firmware | - |
| tp-link | tl-r483g_firmware | - |
| tp-link | tl-er5110g_firmware | - |
| tp-link | tl-r473g_firmware | - |
| tp-link | tl-wvr1300g_firmware | - |
| tp-link | tl-wvr1200l_firmware | - |
| tp-link | tl-r478g+_firmware | - |
| tp-link | tl-er3220g_firmware | - |
| tp-link | tl-r478_firmware | - |
| tp-link | tl-war1750l_firmware | - |
| tp-link | tl-r4239g_firmware | - |
| tp-link | tl-r473_firmware | - |
| tp-link | tl-wvr1300l_firmware | - |
| tp-link | tl-r4149g_firmware | - |
| tp-link | tl-r4299g_firmware | - |
| tp-link | tl-er6110g_firmware | - |
| tp-link | tl-wvr450l_firmware | - |
| tp-link | tl-war450l_firmware | - |
| tp-link | tl-er3210g_firmware | - |
| tp-link | tl-er6220g_firmware | - |
| tp-link | tl-war458l_firmware | - |
| tp-link | tl-wvr450_firmware | - |
| tp-link | tl-wvr1750l_firmware | - |
| tp-link | tl-war1300l_firmware | - |
| tp-link | tl-wvr300_firmware | - |
| tp-link | tl-war1200l_firmware | - |
| tp-link | tl-wvr450g_firmware | - |
| tp-link | tl-war450_firmware | - |
| tp-link | tl-wvr900g_firmware | - |
| tp-link | tl-wvr4300l_firmware | - |
| tp-link | tl-er6120g_firmware | - |
TP-Link TL-WVR, TL-WAR, TL-ER, and TL-R devices allow remote authenticated users to execute arbitrary commands via shell metacharacters in the t_bindif field of an admin/bridge command to cgi-bin/luci, related to the get_device_byif function in /usr/lib/lua/luci/controller/admin/bridge.lua in uhttpd.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-78,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-er6510g_firmware | - |
| tp-link | tl-wvr458p_firmware | - |
| tp-link | tl-r478+_firmware | - |
| tp-link | tl-er5520g_firmware | - |
| tp-link | tl-wvr900l_firmware | - |
| tp-link | tl-war302_firmware | - |
| tp-link | tl-war458_firmware | - |
| tp-link | tl-r483_firmware | - |
| tp-link | tl-wvr458_firmware | - |
| tp-link | tl-er6520g_firmware | - |
| tp-link | tl-wvr302_firmware | - |
| tp-link | tl-r479p-ac_firmware | - |
| tp-link | tl-wvr458l_firmware | - |
| tp-link | tl-war2600l_firmware | - |
| tp-link | tl-r488_firmware | - |
| tp-link | tl-r473p-ac_firmware | - |
| tp-link | tl-war900l_firmware | - |
| tp-link | tl-r479gpe-ac_firmware | - |
| tp-link | tl-er5120g_firmware | - |
| tp-link | tl-er7520g_firmware | - |
| tp-link | tl-r479gp-ac_firmware | - |
| tp-link | tl-r478g_firmware | - |
| tp-link | tl-er5510g_firmware | - |
| tp-link | tl-r483g_firmware | - |
| tp-link | tl-er5110g_firmware | - |
| tp-link | tl-r473g_firmware | - |
| tp-link | tl-wvr1300g_firmware | - |
| tp-link | tl-wvr1200l_firmware | - |
| tp-link | tl-r478g+_firmware | - |
| tp-link | tl-er3220g_firmware | - |
| tp-link | tl-r478_firmware | - |
| tp-link | tl-war1750l_firmware | - |
| tp-link | tl-r4239g_firmware | - |
| tp-link | tl-r473_firmware | - |
| tp-link | tl-wvr1300l_firmware | - |
| tp-link | tl-r4149g_firmware | - |
| tp-link | tl-r4299g_firmware | - |
| tp-link | tl-er6110g_firmware | - |
| tp-link | tl-wvr450l_firmware | - |
| tp-link | tl-war450l_firmware | - |
| tp-link | tl-er3210g_firmware | - |
| tp-link | tl-er6220g_firmware | - |
| tp-link | tl-war458l_firmware | - |
| tp-link | tl-wvr450_firmware | - |
| tp-link | tl-wvr1750l_firmware | - |
| tp-link | tl-war1300l_firmware | - |
| tp-link | tl-wvr300_firmware | - |
| tp-link | tl-war1200l_firmware | - |
| tp-link | tl-wvr450g_firmware | - |
| tp-link | tl-war450_firmware | - |
| tp-link | tl-wvr900g_firmware | - |
| tp-link | tl-wvr4300l_firmware | - |
| tp-link | tl-er6120g_firmware | - |
The locale feature in cgi-bin/luci on TP-Link TL-WVR, TL-WAR, TL-ER, and TL-R devices allows remote authenticated users to test for the existence of arbitrary files by making an operation=write;locale=%0d request, and then making an operation=read request with a crafted Accept-Language HTTP header, related to the set_sysinfo and get_sysinfo functions in /usr/lib/lua/luci/controller/locale.lua in uhttpd.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-22,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-er6510g_firmware | - |
| tp-link | tl-wvr458p_firmware | - |
| tp-link | tl-r478+_firmware | - |
| tp-link | tl-er5520g_firmware | - |
| tp-link | tl-wvr900l_firmware | - |
| tp-link | tl-war302_firmware | - |
| tp-link | tl-war458_firmware | - |
| tp-link | tl-r483_firmware | - |
| tp-link | tl-wvr458_firmware | - |
| tp-link | tl-er6520g_firmware | - |
| tp-link | tl-wvr302_firmware | - |
| tp-link | tl-r479p-ac_firmware | - |
| tp-link | tl-wvr458l_firmware | - |
| tp-link | tl-war2600l_firmware | - |
| tp-link | tl-r488_firmware | - |
| tp-link | tl-r473p-ac_firmware | - |
| tp-link | tl-war900l_firmware | - |
| tp-link | tl-r479gpe-ac_firmware | - |
| tp-link | tl-er5120g_firmware | - |
| tp-link | tl-er7520g_firmware | - |
| tp-link | tl-r479gp-ac_firmware | - |
| tp-link | tl-r478g_firmware | - |
| tp-link | tl-er5510g_firmware | - |
| tp-link | tl-r483g_firmware | - |
| tp-link | tl-er5110g_firmware | - |
| tp-link | tl-r473g_firmware | - |
| tp-link | tl-wvr1300g_firmware | - |
| tp-link | tl-wvr1200l_firmware | - |
| tp-link | tl-r478g+_firmware | - |
| tp-link | tl-er3220g_firmware | - |
| tp-link | tl-r478_firmware | - |
| tp-link | tl-war1750l_firmware | - |
| tp-link | tl-r4239g_firmware | - |
| tp-link | tl-r473_firmware | - |
| tp-link | tl-wvr1300l_firmware | - |
| tp-link | tl-r4149g_firmware | - |
| tp-link | tl-r4299g_firmware | - |
| tp-link | tl-er6110g_firmware | - |
| tp-link | tl-wvr450l_firmware | - |
| tp-link | tl-war450l_firmware | - |
| tp-link | tl-er3210g_firmware | - |
| tp-link | tl-er6220g_firmware | - |
| tp-link | tl-war458l_firmware | - |
| tp-link | tl-wvr450_firmware | - |
| tp-link | tl-wvr1750l_firmware | - |
| tp-link | tl-war1300l_firmware | - |
| tp-link | tl-wvr300_firmware | - |
| tp-link | tl-war1200l_firmware | - |
| tp-link | tl-wvr450g_firmware | - |
| tp-link | tl-war450_firmware | - |
| tp-link | tl-wvr900g_firmware | - |
| tp-link | tl-wvr4300l_firmware | - |
| tp-link | tl-er6120g_firmware | - |
TP-Link TL-WVR, TL-WAR, TL-ER, and TL-R devices allow remote authenticated users to execute arbitrary commands via shell metacharacters in the t_bindif field of an admin/interface command to cgi-bin/luci, related to the get_device_byif function in /usr/lib/lua/luci/controller/admin/interface.lua in uhttpd.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-78,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-er6510g_firmware | - |
| tp-link | tl-wvr458p_firmware | - |
| tp-link | tl-wvr900l_firmware | - |
| tp-link | tl-war302_firmware | - |
| tp-link | tl-war458_firmware | - |
| tp-link | tl-r483 | v5 |
| tp-link | tl-wvr458_firmware | - |
| tp-link | tl-r479p-ac_firmware | - |
| tp-link | tl-wvr458l_firmware | - |
| tp-link | tl-war2600l_firmware | - |
| tp-link | tl-r473p-ac_firmware | - |
| tp-link | tl-r4239g | v2 |
| tp-link | tl-war900l_firmware | - |
| tp-link | tl-wvr900g | v3 |
| tp-link | tl-r479gpe-ac_firmware | - |
| tp-link | tl-er5520g | v2 |
| tp-link | tl-er5120g_firmware | - |
| tp-link | tl-er7520g_firmware | - |
| tp-link | tl-r479gp-ac_firmware | - |
| tp-link | tl-r478g_firmware | - |
| tp-link | tl-wvr302 | v2 |
| tp-link | tl-er5110g_firmware | - |
| tp-link | tl-wvr300 | v4 |
| tp-link | tl-r473g_firmware | - |
| tp-link | tl-wvr1300g_firmware | - |
| tp-link | tl-er5510g | v3 |
| tp-link | tl-wvr1200l_firmware | - |
| tp-link | tl-war1750l_firmware | - |
| tp-link | tl-r488 | v5 |
| tp-link | tl-er3220g_firmware | * |
| tp-link | tl-er5520g | v3 |
| tp-link | tl-wvr1300l_firmware | - |
| tp-link | tl-r4149g_firmware | - |
| tp-link | tl-er6520g | v2 |
| tp-link | tl-r473gp-ac_firmware | - |
| tp-link | tl-er6110g_firmware | - |
| tp-link | tl-wvr450l_firmware | - |
| tp-link | tl-war450l_firmware | - |
| tp-link | tl-er3210g_firmware | - |
| tp-link | tl-er6220g_firmware | - |
| tp-link | tl-war458l_firmware | - |
| tp-link | tl-wvr450_firmware | - |
| tp-link | tl-er6520g | v3 |
| tp-link | tl-wvr1750l_firmware | - |
| tp-link | tl-war1300l_firmware | - |
| tp-link | tl-war1200l_firmware | - |
| tp-link | tl-r478 | v6 |
| tp-link | tl-wvr450g | v5 |
| tp-link | tl-r478+ | v7 |
| tp-link | tl-r478g+ | v3 |
| tp-link | tl-war450_firmware | - |
| tp-link | tl-wvr2600l_firmware | - |
| tp-link | tl-r483g | v2 |
| tp-link | tl-wvr4300l_firmware | - |
| tp-link | tl-er5510g | v2 |
| tp-link | tl-r473 | v5 |
| tp-link | tl-r4299g | v2 |
| tp-link | tl-er6120g | v2 |
Cross-site scripting (XSS) vulnerability in system_name_set.cgi in TP-Link TL-SG108E 1.0.0 allows authenticated remote attackers to submit arbitrary java script via the 'sysName' parameter.
CVSS 2.0
Severity: LOW
Problem Type: CWE-79,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-sg108e_firmware | 1.0.0 |
Weak access control methods on the TP-Link TL-SG108E 1.0.0 allow any user on a NAT network with an authenticated administrator to access the device without entering user credentials. The authentication record is stored on the device; thus if an administrator authenticates from a NAT network, the authentication applies to the IP address of the NAT gateway, and any user behind that NAT gateway is also treated as authenticated.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-306,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-sg108e_firmware | 1.0.0 |
Weak access controls in the Device Logout functionality on the TP-Link TL-SG108E v1.0.0 allow remote attackers to call the logout functionality, triggering a denial of service condition.
CVSS 2.0
Severity: LOW
Problem Type: CWE-306,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-sg108e_firmware | 1.0.0 |
TP-Link TL-WVR and TL-WAR devices allow remote authenticated users to execute arbitrary commands via shell metacharacters in the interface field of an admin/wportal command to cgi-bin/luci, related to the get_device_byif function in /usr/lib/lua/luci/controller/admin/wportal.lua in uhttpd.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-78,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wvr1750l_firmware | - |
| tp-link | tl-war1300l_firmware | - |
| tp-link | tl-war1200l_firmware | - |
| tp-link | tl-wvr900l_firmware | - |
| tp-link | tl-wvr1300l_firmware | - |
| tp-link | tl-wvr2600l_firmware | - |
| tp-link | tl-wvr458l_firmware | - |
| tp-link | tl-war2600l_firmware | - |
| tp-link | tl-wvr4300l_firmware | - |
| tp-link | tl-wvr450l_firmware | - |
| tp-link | tl-war450l_firmware | - |
| tp-link | tl-wvr1200l_firmware | - |
| tp-link | tl-war458l_firmware | - |
| tp-link | tl-war1750l_firmware | - |
| tp-link | tl-war900l_firmware | - |
TP-Link TL-WVR and TL-WAR devices allow remote authenticated users to execute arbitrary commands via shell metacharacters in the interface field of an admin/dhcps command to cgi-bin/luci, related to the zone_get_iface_bydev function in /usr/lib/lua/luci/controller/admin/dhcps.lua in uhttpd.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-78,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wvr1750l_firmware | - |
| tp-link | tl-war1300l_firmware | - |
| tp-link | tl-war1200l_firmware | - |
| tp-link | tl-wvr900l_firmware | - |
| tp-link | tl-wvr1300l_firmware | - |
| tp-link | tl-wvr2600l_firmware | - |
| tp-link | tl-wvr458l_firmware | - |
| tp-link | tl-war2600l_firmware | - |
| tp-link | tl-wvr4300l_firmware | - |
| tp-link | tl-wvr450l_firmware | - |
| tp-link | tl-war450l_firmware | - |
| tp-link | tl-wvr1200l_firmware | - |
| tp-link | tl-war458l_firmware | - |
| tp-link | tl-war1750l_firmware | - |
| tp-link | tl-war900l_firmware | - |
On the TP-Link TL-SG108E 1.0, a remote attacker could retrieve credentials from "SEND data" log lines where passwords are encoded in hexadecimal. This affects the 1.1.2 Build 20141017 Rel.50749 firmware.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-532,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-sg108e_firmware | 1.1.2 |
On the TP-Link TL-SG108E 1.0, a remote attacker could retrieve credentials from "Switch Info" log lines where passwords are in cleartext. This affects the 1.1.2 Build 20141017 Rel.50749 firmware.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-532,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-sg108e_firmware | 1.1.2 |
On the TP-Link TL-SG108E 1.0, admin network communications are RC4 encoded, even though RC4 is deprecated. This affects the 1.1.2 Build 20141017 Rel.50749 firmware.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-326,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-sg108e_firmware | 1.1.2 |
On the TP-Link TL-SG108E 1.0, there is a hard-coded ciphering key (a long string beginning with Ei2HNryt). This affects the 1.1.2 Build 20141017 Rel.50749 firmware.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-798,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-sg108e_firmware | 1.1.2 |
On the TP-Link TL-SG108E 1.0, the upgrade process can be requested remotely without authentication (httpupg.cgi with a parameter called cmd). This affects the 1.1.2 Build 20141017 Rel.50749 firmware.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-287,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-sg108e_firmware | 1.1.2 |
TP-Link C2 and C20i devices through firmware 0.9.1 4.2 v0032.0 Build 160706 Rel.37961n have too permissive iptables rules, e.g., SNMP is not blocked on any interface.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-862,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | c2_firmware | * |
| tp-link | c20i_firmware | * |
vsftpd on TP-Link C2 and C20i devices through firmware 0.9.1 4.2 v0032.0 Build 160706 Rel.37961n has a backdoor admin account with the 1234 password, a backdoor guest account with the guest password, and a backdoor test account with the test password.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-1188,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | c2_firmware | * |
| tp-link | c20i_firmware | * |
TP-Link C2 and C20i devices through firmware 0.9.1 4.2 v0032.0 Build 160706 Rel.37961n allow DoSing the HTTP server via a crafted Cookie header to the /cgi/ansi URI.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | c2_firmware | * |
| tp-link | c20i_firmware | * |
TP-Link C2 and C20i devices through firmware 0.9.1 4.2 v0032.0 Build 160706 Rel.37961n allow remote code execution with a single HTTP request by placing shell commands in a "host=" line within HTTP POST data.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-78,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | c2_firmware | * |
| tp-link | c20i_firmware | * |
The executable httpd on the TP-Link WR841N V8 router before TL-WR841N(UN)_V8_170210 contained a design flaw in the use of DES for block encryption. This resulted in incorrect access control, which allowed attackers to gain read-write access to system settings through the protected router configuration service tddp via the LAN and Ath0 (Wi-Fi) interfaces.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-327,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | wr841n_v8_firmware | * |
Stored Cross-site scripting (XSS) vulnerability in the TP-Link EAP Controller and Omada Controller versions 2.5.4_Windows/2.6.0_Windows allows authenticated attackers to inject arbitrary web script or HTML via the implementation of portalPictureUpload functionality. This is fixed in version 2.6.1_Windows.
CVSS 2.0
Severity: LOW
Problem Type: CWE-79,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | eap_controller | 2.6.0 |
| tp-link | eap_controller | 2.5.4 |
Stored Cross-site scripting (XSS) vulnerability in the TP-Link EAP Controller and Omada Controller versions 2.5.4_Windows/2.6.0_Windows allows authenticated attackers to inject arbitrary web script or HTML via the userName parameter in the local user creation functionality. This is fixed in version 2.6.1_Windows.
CVSS 2.0
Severity: LOW
Problem Type: CWE-79,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | eap_controller | 2.6.0 |
| tp-link | eap_controller | 2.5.4 |
The web management interface in the TP-Link EAP Controller and Omada Controller versions 2.5.4_Windows/2.6.0_Windows does not have Anti-CSRF tokens in any forms. This would allow an attacker to submit authenticated requests when an authenticated user browses an attack-controlled domain. This is fixed in version 2.6.1_Windows.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-352,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | eap_controller | 2.6.0 |
| tp-link | eap_controller | 2.5.4 |
The web application backup file in the TP-Link EAP Controller and Omada Controller versions 2.5.4_Windows/2.6.0_Windows is encrypted with a hard-coded cryptographic key, so anyone who knows that key and the algorithm can decrypt it. A low-privilege user could decrypt and modify the backup file in order to elevate their privileges. This is fixed in version 2.6.1_Windows.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-798,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | eap_controller | 2.6.0 |
| tp-link | eap_controller | 2.5.4 |
TP-Link EAP Controller and Omada Controller versions 2.5.4_Windows/2.6.0_Windows do not control privileges for usage of the Web API, allowing a low-privilege user to make any request as an Administrator. This is fixed in version 2.6.1_Windows.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-269,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | eap_controller | 2.6.0 |
| tp-link | eap_controller | 2.5.4 |
TP-LINK IPC TL-IPC223(P)-6, TL-IPC323K-D, TL-IPC325(KP)-*, and TL-IPC40A-4 devices allow authenticated remote code execution via crafted JSON data because /usr/lib/lua/luci/torchlight/validator.lua does not block various punctuation characters.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | ipc_tl-ipc223(p)-6_firmware | * |
| tp-link | tl-ipc40a-4_firmware | * |
| tp-link | tl-ipc323k-d_firmware | * |
| tp-link | tl-ipc325(kp)_firmware | * |
/usr/lib/lua/luci/websys.lua on TP-LINK IPC TL-IPC223(P)-6, TL-IPC323K-D, TL-IPC325(KP)-*, and TL-IPC40A-4 devices has a hardcoded zMiVw8Kw0oxKXL0 password.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-798,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | ipc_tl-ipc223(p)-6_firmware | * |
| tp-link | tl-ipc40a-4_firmware | * |
| tp-link | tl-ipc323k-d_firmware | * |
| tp-link | tl-ipc325(kp)_firmware | * |
An issue was discovered on TP-Link TL-WR840N v5 00000005 0.9.1 3.16 v0001.0 Build 170608 Rel.58696n and TL-WR841N v13 00000013 0.9.1 4.16 v0001.0 Build 170622 Rel.64334n devices. This issue is caused by improper session handling on the /cgi/ folder or a /cgi file. If an attacker sends a header of "Referer: http://192.168.0.1/mainFrame.htm" then no authentication is required for any action.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-384,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr841n_firmware | 0.9.1_4.16 |
| tp-link | tl-wr840n_firmware | 0.9.1_3.16 |
CSRF exists for all actions in the web interface on TP-Link TL-WR841N v13 00000001 0.9.1 4.16 v0001.0 Build 180119 Rel.65243n devices.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-352,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr841n_firmware | 0.9.1_4.16 |
On TP-Link TL-WR841N v13 00000001 0.9.1 4.16 v0001.0 Build 171019 Rel.55346n devices, all actions in the web interface are affected by bypass of authentication via an HTTP request.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-287,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr841n_firmware | 0.9.1_4.16 |
TP-Link TL-WR841N v13 00000001 0.9.1 4.16 v0001.0 Build 180119 Rel.65243n devices allow clickjacking.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-1021,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr841n_firmware | 0.9.1_4.16 |
The Ping and Traceroute features on TP-Link TL-WR841N v13 00000001 0.9.1 4.16 v0001.0 Build 180119 Rel.65243n devices allow authenticated blind Command Injection.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-78,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr841n_firmware | 0.9.1_4.16 |
TP-Link TL-WA850RE Wi-Fi Range Extender with hardware version 5 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the wps_setup_pin parameter to /data/wps.setup.json.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-78,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wa850re_firmware | - |
Stack-based buffer overflow in TP-Link TL-WA850RE Wi-Fi Range Extender with hardware version 5 allows remote authenticated users to cause a denial of service (outage) via a long type parameter to /data/syslog.filter.json.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-787,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wa850re_firmware | - |
TP-Link TL-WA850RE Wi-Fi Range Extender with hardware version 5 allows remote attackers to cause a denial of service (reboot) via data/reboot.json.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wa850re_firmware | - |
TP-Link Archer C1200 1.13 Build 2018/01/24 rel.52299 EU devices have XSS via the PATH_INFO to the /webpages/data URI.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-79,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | archer_c1200_firmware | 1.13 |
TP-Link WR840N devices allow remote attackers to cause a denial of service (connectivity loss) via a series of packets with random MAC addresses.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | wr840n | - |
TP-Link WR840N devices have a buffer overflow via a long Authorization HTTP header.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr840n_firmware | 0.9.1 |
The web interface in TP-Link TL-WRN841N 0.9.1 4.16 v0348.0 is vulnerable to a denial of service when an unauthenticated LAN user sends a crafted HTTP header containing an unexpected Referer field.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wrn841n_firmware | 0.9.1_4.16_v0348.0 |
The web interface in TP-Link TL-WRN841N 0.9.1 4.16 v0348.0 is vulnerable to a denial of service when an unauthenticated LAN user sends a crafted HTTP header containing an unexpected Cookie field.
CVSS 2.0
Severity: LOW
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wrn841n_firmware | 0.9.1_4.16_v0348.0 |
The web interface in TP-Link TL-WRN841N 0.9.1 4.16 v0348.0 is vulnerable to CSRF due to insufficient validation of the referer field.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-352,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wrn841n_firmware | 0.9.1_4.16_v0348.0 |
TP-Link TL-WR840N devices allow remote attackers to cause a denial of service (networking outage) via fragmented packets, as demonstrated by an "nmap -f" command.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr840n_firmware | - |
Stack-based buffer overflow in the httpd server of TP-Link WR1043nd (Firmware Version 3) allows remote attackers to execute arbitrary code via a malicious MediaServer request to /userRpm/MediaServerFoldersCfgRpm.htm.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-787,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr1043nd_firmware | 3.00 |
An issue was discovered on TP-Link TL-WR886N 6.0 2.3.4 and TL-WR886N 7.0 1.1.0 devices. Authenticated attackers can crash router services (e.g., inetd, HTTP, DNS, and UPnP) via long JSON data for wlan_access name.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr886n_firmware | 6.0_2.3.4 |
| tp-link | tl-wr886n_firmware | 7.0_1.1.0 |
An issue was discovered on TP-Link TL-WR886N 6.0 2.3.4 and TL-WR886N 7.0 1.1.0 devices. Authenticated attackers can crash router services (e.g., inetd, HTTP, DNS, and UPnP) via long JSON data for firewall dmz enable.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr886n_firmware | 6.0_2.3.4 |
| tp-link | tl-wr886n_firmware | 7.0_1.1.0 |
An issue was discovered on TP-Link TL-WR886N 6.0 2.3.4 and TL-WR886N 7.0 1.1.0 devices. Authenticated attackers can crash router services (e.g., inetd, HTTP, DNS, and UPnP) via long JSON data for firewall lan_manage mac2.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr886n_firmware | 6.0_2.3.4 |
| tp-link | tl-wr886n_firmware | 7.0_1.1.0 |
An issue was discovered on TP-Link TL-WR886N 6.0 2.3.4 and TL-WR886N 7.0 1.1.0 devices. Authenticated attackers can crash router services (e.g., inetd, HTTP, DNS, and UPnP) via long JSON data for wireless wlan_wds_2g ssid.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr886n_firmware | 6.0_2.3.4 |
| tp-link | tl-wr886n_firmware | 7.0_1.1.0 |
An issue was discovered on TP-Link TL-WR886N 6.0 2.3.4 and TL-WR886N 7.0 1.1.0 devices. Authenticated attackers can crash router services (e.g., inetd, HTTP, DNS, and UPnP) via long JSON data for wireless wlan_host_2g power.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr886n_firmware | 6.0_2.3.4 |
| tp-link | tl-wr886n_firmware | 7.0_1.1.0 |
An issue was discovered on TP-Link TL-WR886N 6.0 2.3.4 and TL-WR886N 7.0 1.1.0 devices. Authenticated attackers can crash router services (e.g., inetd, HTTP, DNS, and UPnP) via long JSON data for wireless wlan_host_2g isolate.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr886n_firmware | 6.0_2.3.4 |
| tp-link | tl-wr886n_firmware | 7.0_1.1.0 |
An issue was discovered on TP-Link TL-WR886N 6.0 2.3.4 and TL-WR886N 7.0 1.1.0 devices. Authenticated attackers can crash router services (e.g., inetd, HTTP, DNS, and UPnP) via long JSON data for wireless wlan_host_2g bandwidth.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr886n_firmware | 6.0_2.3.4 |
| tp-link | tl-wr886n_firmware | 7.0_1.1.0 |
An issue was discovered on TP-Link TL-WR886N 6.0 2.3.4 and TL-WR886N 7.0 1.1.0 devices. Authenticated attackers can crash router services (e.g., inetd, HTTP, DNS, and UPnP) via long JSON data for hosts_info para sun.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr886n_firmware | 6.0_2.3.4 |
| tp-link | tl-wr886n_firmware | 7.0_1.1.0 |
An issue was discovered on TP-Link TL-WR886N 6.0 2.3.4 and TL-WR886N 7.0 1.1.0 devices. Authenticated attackers can crash router services (e.g., inetd, HTTP, DNS, and UPnP) via long JSON data for hosts_info set_block_flag up_limit.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr886n_firmware | 6.0_2.3.4 |
| tp-link | tl-wr886n_firmware | 7.0_1.1.0 |
An issue was discovered on TP-Link TL-WR886N 6.0 2.3.4 and TL-WR886N 7.0 1.1.0 devices. Authenticated attackers can crash router services (e.g., inetd, HTTP, DNS, and UPnP) via long JSON data for protocol wan wan_rate.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr886n_firmware | 6.0_2.3.4 |
| tp-link | tl-wr886n_firmware | 7.0_1.1.0 |
An issue was discovered on TP-Link TL-WR886N 6.0 2.3.4 and TL-WR886N 7.0 1.1.0 devices. Authenticated attackers can crash router services (e.g., inetd, HTTP, DNS, and UPnP) via long JSON data for ip_mac_bind name.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr886n_firmware | 6.0_2.3.4 |
| tp-link | tl-wr886n_firmware | 7.0_1.1.0 |
An issue was discovered on TP-Link TL-WR886N 6.0 2.3.4 and TL-WR886N 7.0 1.1.0 devices. Authenticated attackers can crash router services (e.g., inetd, HTTP, DNS, and UPnP) via long JSON data for ddns phddns username.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr886n_firmware | 6.0_2.3.4 |
| tp-link | tl-wr886n_firmware | 7.0_1.1.0 |
An issue was discovered on TP-Link TL-WR886N 6.0 2.3.4 and TL-WR886N 7.0 1.1.0 devices. Authenticated attackers can crash router services (e.g., inetd, HTTP, DNS, and UPnP) via long JSON data for reboot_timer name.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr886n_firmware | 6.0_2.3.4 |
| tp-link | tl-wr886n_firmware | 7.0_1.1.0 |
An issue was discovered on TP-Link TL-WR886N 6.0 2.3.4 and TL-WR886N 7.0 1.1.0 devices. Authenticated attackers can crash router services (e.g., inetd, HTTP, DNS, and UPnP) via long JSON data for dhcpd udhcpd enable.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr886n_firmware | 6.0_2.3.4 |
| tp-link | tl-wr886n_firmware | 7.0_1.1.0 |
An issue was discovered on TP-Link TL-WR886N 6.0 2.3.4 and TL-WR886N 7.0 1.1.0 devices. Authenticated attackers can crash router services (e.g., inetd, HTTP, DNS, and UPnP) via long JSON data for time_switch name.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr886n_firmware | 6.0_2.3.4 |
| tp-link | tl-wr886n_firmware | 7.0_1.1.0 |
TP-Link TL-SC3130 1.6.18P12_121101 devices allow unauthenticated RTSP stream access, as demonstrated by a /jpg/image.jpg URI.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-sc3130_firmware | 1.6.18p12_121101 |
The ping feature in the Diagnostic functionality on TP-LINK WR840N v2 Firmware 3.16.9 Build 150701 Rel.51516n devices allows remote attackers to cause a denial of service (HTTP service termination) by modifying the packet size to be higher than the UI limit of 1472.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | wr840n_firmware | 3.16.9 |
TP-Link TL-WR886N 7.0 1.1.0 devices allow remote attackers to cause a denial of service (Tlb Load Exception) via crafted DNS packets to port 53/udp.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr886n_firmware | 7.0.1.1.0 |
TP-Link Archer C5 devices through V2_160201_US allow remote command execution via shell metacharacters on the wan_dyn_hostname line of a configuration file that is encrypted with the 478DA50BF9E3D2CF key and uploaded through the web GUI by using the web admin account. The default password of admin may be used in some cases.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-434,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | archer_c5_firmware | * |
TP-Link TD-W8961ND devices allow XSS via the hostname of a DHCP client.
CVSS 2.0
Severity: LOW
Problem Type: CWE-79,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | td-w8961nd_firmware | 1.0.1 |
An exploitable denial-of-service vulnerability exists in the URI-parsing functionality of the TP-Link TL-R600VPN HTTP server. A specially crafted URL can cause the server to stop responding to requests, resulting in downtime for the management portal. An attacker can send either an unauthenticated or authenticated web request to trigger this vulnerability.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-r600vpn_firmware | 1.3.0 |
| tp-link | tl-r600vpn_firmware | 1.2.3 |
An exploitable information disclosure vulnerability exists in the HTTP server functionality of the TP-Link TL-R600VPN. A specially crafted URL can cause a directory traversal, resulting in the disclosure of sensitive system files. An attacker can send either an unauthenticated or an authenticated web request to trigger this vulnerability.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-22,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-r600vpn_firmware | 1.3.0 |
| tp-link | tl-r600vpn_firmware | 1.2.3 |
An exploitable remote code execution vulnerability exists in the ping and tracert functionality of the TP-Link TL-R600VPN HWv3 FRNv1.3.0 and HWv2 FRNv1.2.3 http server. A specially crafted IP address can cause a stack overflow, resulting in remote code execution. An attacker can send a single authenticated HTTP request to trigger this vulnerability.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-787,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-r600vpn_firmware | 1.3.0 |
| tp-link | tl-r600vpn_firmware | 1.2.3 |
An exploitable remote code execution vulnerability exists in the HTTP header-parsing function of the TP-Link TL-R600VPN HTTP Server. A specially crafted HTTP request can cause a buffer overflow, resulting in remote code execution on the device. An attacker can send an authenticated HTTP request to trigger this vulnerability.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-r600vpn_firmware | * |
The TP-LINK EAP Controller is TP-LINK's software for remotely controlling wireless access point devices. It utilizes a Java remote method invocation (RMI) service for remote control. The RMI interface does not require any authentication before use, so it lacks user authentication for RMI service commands in EAP controller versions 2.5.3 and earlier. Remote attackers can implement deserialization attacks through the RMI protocol. Successful attacks may allow a remote attacker to remotely control the target server and execute Java functions or bytecode.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-306,CWE-306,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | eap_controller | * |
The web-based configuration interface of the TP-Link M7350 V3 with firmware before 190531 is affected by a pre-authentication command injection vulnerability.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-78,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | m7350_firmware | * |
The web-based configuration interface of the TP-Link M7350 V3 with firmware before 190531 is affected by several post-authentication command injection vulnerabilities.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-77,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | m7350_firmware | * |
TP-Link TL-WR840N v5 00000005 devices allow XSS via the network name. The attacker must log into the router by breaking the password and going to the admin login page by THC-HYDRA to get the network name. With an XSS payload, the network name changed automatically and the internet connection was disconnected. All the users become disconnected from the internet.
CVSS 2.0
Severity: LOW
Problem Type: CWE-79,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr840n_firmware | 0.9.1_3.16 |
TP-Link Archer C3200 V1 and Archer C2 V1 devices have Insufficient Compartmentalization between a host network and a guest network that are established by the same device. A DHCP Request is sent to the router with a certain Transaction ID field. Following the DHCP protocol, the router responds with an ACK or NAK message. Studying the NAK case revealed that the router erroneously sends the NAK to both Host and Guest networks with the same Transaction ID as found in the DHCP Request. This allows encoding of data to be sent cross-router into the 32-bit Transaction ID field.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-669,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | archer_c2_v1_firmware | - |
| tp-link | archer_c3200_v1_firmware | - |
TP-Link Archer C3200 V1 and Archer C2 V1 devices have Insufficient Compartmentalization between a host network and a guest network that are established by the same device. In order to transfer data from the host network to the guest network, the sender joins and then leaves an IGMP group. After it leaves, the router (following the IGMP protocol) creates an IGMP Membership Query packet with the Group IP and sends it to both the Host and the Guest networks. The data is transferred within the Group IP field, which is completely controlled by the sender.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | archer_c2_v1_firmware | - |
| tp-link | archer_c3200_v1_firmware | - |
TP-Link Archer C3200 V1 and Archer C2 V1 devices have Insufficient Compartmentalization between a host network and a guest network that are established by the same device. They forward ARP requests, which are sent as broadcast packets, between the host and the guest networks. To use this leakage as a direct covert channel, the sender can trivially issue an ARP request to an arbitrary computer on the network. (In general, some routers restrict ARP forwarding only to requests destined for the network's subnet mask, but these routers did not restrict this traffic in any way. Depending on this factor, one must use either the lower 8 bits of the IP address, or the entire 32 bits, as the data payload.)
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | archer_c2_v1_firmware | - |
| tp-link | archer_c3200_v1_firmware | - |
CMD_FTEST_CONFIG in the TP-Link Device Debug protocol in TP-Link Wireless Router Archer Router version 1.0.0 Build 20180502 rel.45702 (EU) and earlier is prone to a stack-based buffer overflow, which allows a remote attacker to achieve code execution or denial of service by sending a crafted payload to the listening server.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-787,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | archer_c1200_firmware | 1.0.0 |
CMD_SET_CONFIG_COUNTRY in the TP-Link Device Debug protocol in TP-Link Archer C1200 1.0.0 Build 20180502 rel.45702 and earlier is prone to a stack-based buffer overflow, which allows a remote attacker to achieve code execution or denial of service by sending a crafted payload to the listening server.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-787,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | archer_c1200_firmware | 1.0.0 |
TP-Link M7350 devices through 1.0.16 Build 181220 Rel.1116n allow externalPort OS Command Injection (issue 1 of 5).
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-78,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | m7350_firmware | * |
TP-Link M7350 devices through 1.0.16 Build 181220 Rel.1116n allow internalPort OS Command Injection (issue 2 of 5).
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-78,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | m7350_firmware | * |
TP-Link M7350 devices through 1.0.16 Build 181220 Rel.1116n allow portMappingProtocol OS Command Injection (issue 3 of 5).
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-78,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | m7350_firmware | * |
TP-Link M7350 devices through 1.0.16 Build 181220 Rel.1116n allow serviceName OS Command Injection (issue 4 of 5).
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-78,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | m7350_firmware | * |
TP-Link M7350 devices through 1.0.16 Build 181220 Rel.1116n allow triggerPort OS Command Injection (issue 5 of 5).
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-78,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | m7350_firmware | * |
The traceroute function on the TP-Link TL-WR840N v4 router with firmware through 0.9.1 3.16 is vulnerable to remote code execution via a crafted payload in an IP address input field.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-78,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr840n_firmware | * |
The Web Management of TP-Link TP-SG105E V4 1.0.0 Build 20181120 devices allows an unauthenticated attacker to reboot the device via a reboot.cgi request.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-306,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tp-sg105e_firmware | 1.0.0 |
This vulnerability allows remote attackers to execute arbitrary code on affected installations of TP-LINK TL-WR841N routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the web service, which listens on TCP port 80 by default. When parsing the Host request header, the process does not properly validate the length of user-supplied data prior to copying it to a fixed-length static buffer. An attacker can leverage this vulnerability to execute code in the context of the admin user. Was ZDI-CAN-8457.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-120,CWE-120,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr841n_firmware | 0.9.1_4.16 |
TP-LINK TL-WR849N 0.9.1 4.16 devices do not require authentication to replace the firmware via a POST request to the cgi/softup URI.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-306,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr849n_firmware | 0.9.1_4.16 |
TP-Link WDR Series devices through firmware v3 (such as TL-WDR5620 V3.0) are affected by command injection (after login) leading to remote code execution, because shell metacharacters can be included in the weather get_weather_observe citycode field.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-78,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wdr3600_firmware | * |
| tp-link | tl-wdr3500_firmware | * |
| tp-link | tl-wdr5620_firmware | * |
| tp-link | tl-wdr4300_firmware | * |
| tp-link | tl-wdr4900_firmware | * |
An issue was discovered on TP-Link TL-WR1043ND V2 devices. An attacker can send a cookie in an HTTP authentication packet to the router management web interface, and fully control the router without knowledge of the credentials.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr1043nd_firmware | 2.0 |
An issue was discovered on TP-Link TL-WR1043ND V2 devices. The credentials can be easily decoded and cracked by brute-force, WordList, or Rainbow Table attacks. Specifically, credentials in the "Authorization" cookie are encoded with URL encoding and base64, leading to easy decoding. Also, the username is cleartext, and the password is hashed with the MD5 algorithm (after decoding of the URL encoded string with base64).
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-326,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr1043nd_firmware | 2.0 |
TP-Link TL-WR940N is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the ipAddrDispose function. By sending specially crafted ICMP echo request packets, a remote authenticated attacker could overflow a buffer and execute arbitrary code on the system with elevated privileges.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-787,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr941nd_firmware | - |
| tp-link | tl-wr940n_firmware | - |
TP-Link NC200 through 2.1.8_Build_171109, NC210 through 1.0.9_Build_171214, NC220 through 1.3.0_Build_180105, NC230 through 1.3.0_Build_171205, NC250 through 1.3.0_Build_171205, NC260 through 1.5.1_Build_190805, and NC450 through 1.5.0_Build_181022 devices allow a remote NULL Pointer Dereference.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-476,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | nc250_firmware | 1.3.0 |
| tp-link | nc200_firmware | 2.1.7 |
| tp-link | nc260_firmware | 1.0.5 |
| tp-link | nc260_firmware | 1.0.6 |
| tp-link | nc220_firmware | 1.1.14 |
| tp-link | nc450_firmware | 1.5.0 |
| tp-link | nc200_firmware | 2.1.6 |
| tp-link | nc220_firmware | 1.1.12 |
| tp-link | nc230_firmware | 1.3.0 |
| tp-link | nc220_firmware | 1.3.0 |
| tp-link | nc450_firmware | 1.1.2 |
| tp-link | nc220_firmware | 1.2.0 |
| tp-link | nc260_firmware | 1.5.1 |
| tp-link | nc450_firmware | 1.1.6 |
| tp-link | nc210_firmware | 1.0.9 |
| tp-link | nc450_firmware | 1.1.1 |
| tp-link | nc200_firmware | 2.1.8 |
This vulnerability allows remote attackers to execute arbitrary code on affected installations of TP-Link Archer A7 Firmware Ver: 190726 AC1750 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of DNS responses. A crafted DNS message can trigger an overflow of a fixed-length, stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the root user. Was ZDI-CAN-9660.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-121,CWE-787,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | ac1750_firmware | 190726 |
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of TP-Link Archer A7 Firmware Ver: 190726 AC1750 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the tdpServer service, which listens on UDP port 20002 by default. When parsing the slave_mac parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the root user. Was ZDI-CAN-9650.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-78,CWE-78,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | ac1750_firmware | 190726 |
This vulnerability allows local attackers to escalate privileges on affected installations of TP-Link Archer A7 Firmware Ver: 190726 AC1750 routers. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the file system. The issue lies in the lack of proper permissions set on the file system. An attacker can leverage this vulnerability to escalate privileges. Was ZDI-CAN-9651.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-732,CWE-732,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | ac1750_firmware | 190726 |
This vulnerability allows network-adjacent attackers execute arbitrary code on affected installations of TP-Link Archer A7 Firmware Ver: 190726 AC1750 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the tdpServer service, which listens on UDP port 20002 by default. This issue results from the use of hard-coded encryption key. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of root. Was ZDI-CAN-9652.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-321,CWE-798,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | ac1750_firmware | 190726 |
This vulnerability allows remote attackers to execute arbitrary code on affected installations of TP-Link Archer A7 Firmware Ver: 190726 AC1750 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of DNS responses. The issue results from the lack of proper validation of DNS reponses prior to further processing. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the root user. Was ZDI-CAN-9661.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-20,CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | ac1750_firmware | 190726 |
This vulnerability allows remote attackers to execute arbitrary code on affected installations of TP-Link Archer A7 Firmware Ver: 190726 AC1750 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the tmpServer service, which listens on TCP port 20002. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-9662.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-78,CWE-78,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | ac1750_firmware | 190726 |
This vulnerability allows a firewall bypass on affected installations of TP-Link Archer A7 Firmware Ver: 190726 AC1750 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of IPv6 connections. The issue results from the lack of proper filtering of IPv6 SSH connections. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of root. Was ZDI-CAN-9663.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-693,NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | ac1750_firmware | 190726 |
This vulnerability allows remote attackers to bypass authentication on affected installations of TP-Link Archer A7 Firmware Ver: 190726 AC1750 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of SSH port forwarding requests during initial setup. The issue results from the lack of proper authentication prior to establishing SSH port forwarding rules. An attacker can leverage this vulnerability to escalate privileges to resources normally protected from the WAN interface. Was ZDI-CAN-9664.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-287,CWE-287,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | ac1750_firmware | 190726 |
This vulnerability allows network-adjacent attackers to escalate privileges on affected installations of TP-Link TL-WA855RE Firmware Ver: 855rev4-up-ver1-0-1-P1[20191213-rel60361] Wi-Fi extenders. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the first-time setup process. The issue results from the lack of proper validation on first-time setup requests. An attacker can leverage this vulnerability to reset the password for the Admin account and execute code in the context of the device. Was ZDI-CAN-10003.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.0 | HIGH | CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 2.1 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-287,CWE-287,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wa855re_firmware | 190408 |
| tp-link | tl-wa855re_firmware | 191213 |
TP-Link cloud cameras through 2020-02-09 allow remote attackers to bypass authentication and obtain sensitive information via vectors involving a Wi-Fi session with GPS enabled, aka CNVD-2020-04855.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N | 3.9 | 1.4 |
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | nc200_firmware | * |
| tp-link | kc300s2_firmware | * |
| tp-link | tl-sc3430_firmware | * |
| tp-link | nc230_firmware | * |
| tp-link | nc210_firmware | * |
| tp-link | kc200_firmware | * |
| tp-link | nc450_firmware | * |
| tp-link | tl-sc4171g_firmware | * |
| tp-link | nc250_firmware | * |
| tp-link | tl-sc3430n_firmware | * |
| tp-link | tapo_c200_firmware | * |
| tp-link | kc310s2_firmware | * |
| tp-link | tapo_c100_firmware | * |
| tp-link | nc220_firmware | * |
| tp-link | nc260_firmware | * |
Certain TP-Link devices allow Command Injection. This affects NC200 2.1.9 build 200225, NC210 1.0.9 build 200304, NC220 1.3.0 build 200304, NC230 1.3.0 build 200304, NC250 1.3.0 build 200304, NC260 1.5.2 build 200304, and NC450 1.5.3 build 200304.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-78,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | nc250_firmware | 1.3.0 |
| tp-link | nc260_firmware | 1.0.5 |
| tp-link | nc260_firmware | 1.0.6 |
| tp-link | nc250_firmware | 1.2.1 |
| tp-link | nc210_firmware | 1.0.3 |
| tp-link | nc260_firmware | 1.4.1 |
| tp-link | nc200_firmware | 2.1.6 |
| tp-link | nc210_firmware | 1.0.4 |
| tp-link | nc230_firmware | 1.2.1 |
| tp-link | nc230_firmware | 1.3.0 |
| tp-link | nc450_firmware | 1.3.4 |
| tp-link | nc220_firmware | 1.3.0 |
| tp-link | nc450_firmware | 1.1.2 |
| tp-link | nc220_firmware | 1.2.0 |
| tp-link | nc450_firmware | 1.0.15 |
| tp-link | nc250_firmware | 1.0.8 |
| tp-link | nc250_firmware | 1.0.10 |
| tp-link | nc210_firmware | 1.0.9 |
| tp-link | nc230_firmware | 1.0.3 |
| tp-link | nc260_firmware | 1.5.2 |
| tp-link | nc450_firmware | 1.5.3 |
| tp-link | nc200_firmware | 2.1.9 |
| tp-link | nc260_firmware | 1.5.0 |
Certain TP-Link devices have a Hardcoded Encryption Key. This affects NC200 2.1.9 build 200225, N210 1.0.9 build 200304, NC220 1.3.0 build 200304, NC230 1.3.0 build 200304, NC250 1.3.0 build 200304, NC260 1.5.2 build 200304, and NC450 1.5.3 build 200304.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-798,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | nc250_firmware | 1.3.0 |
| tp-link | nc260_firmware | 1.0.5 |
| tp-link | nc260_firmware | 1.0.6 |
| tp-link | nc250_firmware | 1.2.1 |
| tp-link | nc210_firmware | 1.0.3 |
| tp-link | nc260_firmware | 1.4.1 |
| tp-link | nc200_firmware | 2.1.6 |
| tp-link | nc210_firmware | 1.0.4 |
| tp-link | nc230_firmware | 1.2.1 |
| tp-link | nc230_firmware | 1.3.0 |
| tp-link | nc450_firmware | 1.3.4 |
| tp-link | nc220_firmware | 1.3.0 |
| tp-link | nc450_firmware | 1.1.2 |
| tp-link | nc220_firmware | 1.2.0 |
| tp-link | nc450_firmware | 1.0.15 |
| tp-link | nc250_firmware | 1.0.8 |
| tp-link | nc250_firmware | 1.0.10 |
| tp-link | nc210_firmware | 1.0.9 |
| tp-link | nc230_firmware | 1.0.3 |
| tp-link | nc260_firmware | 1.5.2 |
| tp-link | nc450_firmware | 1.5.3 |
| tp-link | nc200_firmware | 2.1.9 |
| tp-link | nc260_firmware | 1.5.0 |
Certain TP-Link devices allow Command Injection. This affects NC260 1.5.2 build 200304 and NC450 1.5.3 build 200304.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-78,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | nc450_firmware | 1.1.2 |
| tp-link | nc260_firmware | 1.0.5 |
| tp-link | nc450_firmware | 1.0.15 |
| tp-link | nc260_firmware | 1.0.6 |
| tp-link | nc260_firmware | 1.4.1 |
| tp-link | nc260_firmware | 1.5.2 |
| tp-link | nc450_firmware | 1.5.3 |
| tp-link | nc260_firmware | 1.5.0 |
| tp-link | nc450_firmware | 1.3.4 |
TP-Link Omada Controller Software 3.2.6 allows Directory Traversal for reading arbitrary files via com.tp_link.eap.web.portal.PortalController.getAdvertiseFile in /opt/tplink/EAPController/lib/eap-web-3.2.6.jar.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N | 1.8 | 3.6 |
CVSS 2.0
Severity: LOW
Problem Type: CWE-22,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | omada_controller | 3.2.6 |
The Open Connectivity Foundation UPnP specification before 2020-04-17 does not forbid the acceptance of a subscription request with a delivery URL on a different network segment than the fully qualified event-subscription URL, aka the CallStranger issue.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:H | 2.2 | 4.7 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-276,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| hp | 5030_z4a70a | - |
| hp | envy_pro_6420_6wd16a | - |
| hp | hp_envy_4524_k9t01a | - |
| hp | hp_envy_4521_k9t10b | - |
| hp | deskjet_ink_advantage_3548_a9t81b | - |
| hp | envy_5547_j6u64a | - |
| epson | xp-100 | - |
| hp | hp_deskjet_ink_advantage_4536_f0v65a | - |
| hp | deskjet_ink_advantage_3546_a9t82a | - |
| epson | xp-970 | - |
| hp | envy_photo_6234_k7s21b | - |
| hp | envy_4501_c8d05a | - |
| hp | envy_5664_f8b08a | - |
| hp | deskjet_ink_advantage_3545_a9t81a | - |
| hp | officejet_4655_k9v79a | - |
| cisco | wap150 | - |
| huawei | hg532e | - |
| hp | envy_photo_6200_k7s21b | - |
| hp | envy_114_cq811a | - |
| hp | hp_envy_4526_k9t05b | - |
| hp | envy_4520_f0v63a | - |
| hp | deskjet_ink_advantage_4535_f0v64b | - |
| hp | officejet_4652_f1j02a | - |
| hp | envy_4500_a9t89a | - |
| hp | envy_5532 | - |
| hp | envy_photo_7100_k7g93a | - |
| hp | deskjet_ink_advantage_3545_a9t83b | - |
| hp | envy_4502_a9t87b | - |
| hp | envy_5534 | - |
| hp | envy_5530 | - |
| hp | envy_5644_b9s65a | - |
| hp | envy_5646_f8b05a | - |
| hp | hp_envy_4524_f0v72b | - |
| hp | deskjet_ink_advantage_4675_f1h97c | - |
| hp | deskjet_ink_advantage_3545_a9t81c | - |
| hp | envy_120_cz022c | - |
| hp | envy_5020_m2u91b | - |
| hp | hp_envy_4520_e6g67a | - |
| hp | envy_110_cq809d | - |
| hp | hp_envy_4511_k9h50a | - |
| hp | hp_deskjet_ink_advantage_4675_f1h97a | - |
| microsoft | windows_10 | - |
| w1.fi | hostapd | * |
| hp | envy_photo_7100_z3m37a | - |
| hp | envy_5536 | - |
| epson | xp-8500 | - |
| hp | envy_6020_5se16b | - |
| hp | envy_4522_f0v67a | - |
| hp | envy_5541_k7g89a | - |
| hp | hp_envy_4513_k9h51a | - |
| hp | envy_110_cq809a | - |
| hp | envy_4523_j6u60b | - |
| hp | hp_deskjet_ink_advantage_4535_f0v64c | - |
| broadcom | adsl | - |
| hp | hp_officejet_4654_f1j06b | - |
| hp | envy_5540_g0v53a | - |
| epson | xp-320 | - |
| hp | officejet_4650_e6g87a | - |
| canon | selphy_cp1200 | - |
| hp | 5020_z4a69a | - |
| hp | envy_100_cn518a | - |
| hp | hp_envy_4520_f0v63b | - |
| hp | envy_pro_6420_5se46a | - |
| hp | envy_5548_k7g87a | - |
| hp | envy_photo_6232_k7g26b | - |
| nec | wr8165n | - |
| hp | hp_officejet_4658_v6d30b | - |
| zyxel | vmg8324-b10a | - |
| hp | envy_4509_d3p94b | - |
| debian | debian_linux | 10.0 |
| epson | xp-4100 | - |
| hp | deskjet_ink_advantage_4675_f1h97a | - |
| hp | envy_120_cz022b | - |
| hp | hp_envy_4520_f0v69a | - |
| ui | unifi_controller | - |
| hp | officejet_4650_f1h96a | - |
| hp | envy_4511_k9h50a | - |
| hp | envy_4509_d3p94a | - |
| hp | envy_4525_k9t09b | - |
| ruckussecurity | zonedirector_1200 | - |
| epson | xp-4105 | - |
| hp | hp_deskjet_ink_advantage_4538_f0v66b | - |
| hp | deskjet_ink_advantage_4518 | - |
| hp | envy_5640_b9s56a | - |
| hp | hp_envy_4520_e6g67b | - |
| huawei | hg255s | - |
| hp | hp_envy_4520_f0v63a | - |
| fedoraproject | fedora | 32 |
| hp | envy_photo_7100_3xd89a | - |
| hp | envy_120_cz022a | - |
| hp | hp_officejet_4655_k9v82b | - |
| hp | 5660_f8b04a | - |
| hp | envy_4500_a9t80a | - |
| hp | envy_4521_k9t10b | - |
| hp | envy_photo_6230_k7g25b | - |
| hp | envy_photo_6200_y0k15a | - |
| asus | rt-n11 | - |
| hp | envy_4512_k9h49a | - |
| epson | xp-440 | - |
| hp | envy_6020_6wd35a | - |
| hp | hp_officejet_4655_f1j00a | - |
| dlink | dvg-n5412sp | - |
| hp | envy_4504_a9t88b | - |
| hp | envy_photo_7100_k7g99a | - |
| hp | hp_officejet_4652_f1j02a | - |
| hp | deskjet_ink_advantage_4536_f0v65a | - |
| hp | deskjet_ink_advantage_4675_f1h97b | - |
| hp | envy_4500_d3p93a | - |
| hp | envy_100_cn519b | - |
| hp | hp_officejet_4650_f1h96a | - |
| hp | officejet_4654_f1j06b | - |
| hp | envy_4505_a9t86a | - |
| hp | deskjet_ink_advantage_4535_f0v64c | - |
| hp | envy_4527_j6u61b | - |
| hp | envy_4500_a9t80b | - |
| hp | envy_5000_m2u85a | - |
| hp | envy_photo_7800_k7s00a | - |
| hp | hp_envy_4523_j6u60b | - |
| hp | envy_5642_b9s64a | - |
| tp-link | archer_c50 | - |
| hp | envy_5665_f8b06a | - |
| epson | xp-340 | - |
| hp | envy_photo_7120_z3m41d | - |
| hp | hp_envy_4528_k9t08b | - |
| epson | xp-330 | - |
| hp | officejet_4652_f1j05b | - |
| hp | hp_officejet_4655_k9v79a | - |
| epson | xp-620 | - |
| hp | envy_5544_k7c89a | - |
| hp | envy_photo_7800_k7s10d | - |
| hp | hp_deskjet_ink_advantage_4676_f1h98a | - |
| hp | officejet_4652_k9v84b | - |
| hp | envy_4503_e6g71b | - |
| hp | envy_photo_6220_k7g20d | - |
| hp | envy_4508_e6g72b | - |
| hp | envy_6540_b9s59a | - |
| debian | debian_linux | 9.0 |
| hp | envy_4524_f0v72b | - |
| canonical | ubuntu_linux | 20.04 |
| hp | hp_officejet_4654_f1j07b | - |
| hp | envy_5000_m2u91a | - |
| hp | envy_5643_b9s63a | - |
| hp | envy_100_cn517b | - |
| hp | envy_110_cq812c | - |
| hp | hp_envy_4525_k9t09b | - |
| epson | ew-m970a3t | - |
| epson | xp-2101 | - |
| hp | officejet_4658_v6d30b | - |
| hp | 5034_z4a74a | - |
| hp | envy_photo_7800_y0g52b | - |
| cisco | wap351 | - |
| hp | deskjet_ink_advantage_3456_a9t84c | - |
| hp | envy_110_cq809c | - |
| hp | deskjet_ink_advantage_4678_f1h99b | - |
| hp | hp_deskjet_ink_advantage_4675_f1h97c | - |
| hp | officejet_4657_v6d29b | - |
| hp | envy_5540_g0v51a | - |
| hp | hp_officejet_4652_k9v84b | - |
| hp | officejet_4654_f1j07b | - |
| hp | envy_photo_7100_z3m52a | - |
| cisco | wap131 | - |
| hp | envy_photo_6200_y0k13d_ | - |
| hp | envy_6020_7cz37a | - |
| epson | xp-960 | - |
| hp | hp_officejet_4650_e6g87a | - |
| hp | envy_photo_7155_z3m52a | - |
| hp | envy_7644_e4w46a | - |
| epson | xp-702 | - |
| hp | envy_photo_6220_k7g21b | - |
| epson | ep-101 | - |
| hp | envy_114_cq812a | - |
| hp | envy_5545_g0v50a | - |
| hp | envy_pro_6420_6wd14a | - |
| hp | envy_5542_k7c88a | - |
| hp | envy_4520_e6g67a | - |
| hp | envy_4520_e6g67b | - |
| hp | envy_5544_k7c93a | - |
| hp | envy_6052_5se18a | - |
| hp | envy_pro_6455_5se45a | - |
| hp | envy_photo_7800_k7r96a | - |
| hp | envy_4520_f0v69a | - |
| hp | envy_5000_m2u91a | * |
| hp | hp_envy_4527_j6u61b | - |
| hp | envy_5540_g0v47a | - |
| hp | envy_6055_5se16a | - |
| hp | envy_5000_m2u94b | - |
| hp | hp_envy_4516_k9h52a | - |
| hp | envy_4516_k9h52a | - |
| hp | officejet_4656_k9v81b | - |
| hp | envy_5000_z4a74a | - |
| hp | envy_4524_f0v71b | - |
| dell | b1165nfw | - |
| hp | envy_100_cn517a | - |
| hp | hp_officejet_4652_f1j05b | - |
| hp | envy_5531 | - |
| hp | envy_7645_e4w44a | - |
| hp | hp_officejet_4656_k9v81b | - |
| hp | envy_6020_5se17a | - |
| hp | envy_pro_6452_5se47a | - |
| fedoraproject | fedora | 31 |
| hp | envy_4524_k9t01a | - |
| hp | deskjet_ink_advantage_4538_f0v66b | - |
| hp | envy_4526_k9t05b | - |
| hp | officejet_4655_f1j00a | - |
| hp | envy_5000_m2u85b | - |
| hp | envy_5535 | - |
| hp | envy_5540_f2e72a | - |
| hp | envy_photo_7822_y0g43d | - |
| hp | hp_deskjet_ink_advantage_4675_f1h97b | - |
| epson | m571t | - |
| hp | envy_100_cn519a | - |
| hp | envy_5000_z4a54a | - |
| hp | envy_4507_e6g70b | - |
| hp | envy_photo_7164_k7g99a | - |
| hp | envy_photo_6222_y0k14d | - |
| hp | hp_envy_4512_k9h49a | - |
| hp | deskjet_ink_advantage_4676_f1h98a | - |
| hp | envy_5640_b9s58a | - |
| hp | envy_114_cq811b | - |
| hp | envy_pro_6420_5se45b | - |
| epson | xp-2105 | - |
| netgear | wnhde111 | - |
| epson | xp-241 | - |
| hp | hp_deskjet_ink_advantage_4535_f0v64a | - |
| hp | officejet_4650_f1h96b | - |
| hp | envy_110_cq809b | - |
| hp | envy_100_cn517c | - |
| epson | xp-8600 | - |
| hp | hp_envy_4524_f0v71b | - |
| zyxel | amg1202-t10b | - |
| hp | envy_4520_f0v63b | - |
| hp | officejet_4655_k9v82b | - |
| hp | envy_photo_6200_k7g18a | - |
| hp | envy_5540_k7c85a | - |
| hp | 5030_m2u92b | - |
| hp | deskjet_ink_advantage_4535_f0v64a | - |
| hp | envy_photo_6222_y0k13d | - |
| hp | envy_4528_k9t08b | - |
| zte | zxv10_w300 | - |
| hp | hp_officejet_4650_f1h96b | - |
| hp | envy_4513_k9h51a | - |
| hp | hp_deskjet_ink_advantage_4535_f0v64b | - |
| epson | xp-630 | - |
| hp | envy_4502_a9t85a | - |
| hp | deskjet_ink_advantage_4515 | - |
| hp | envy_photo_7800_y0g42d | - |
| microsoft | xbox_one | 10.0.19041.2494 |
| hp | envy_5543_n9u88a | - |
| hp | envy_4504_c8d04a | - |
| hp | envy_photo_6200_k7g26b | - |
| hp | deskjet_ink_advantage_5575_g0v48b | - |
| hp | deskjet_ink_advantage_5575_g0v48c | - |
| hp | envy_7640 | - |
| hp | envy_5539 | - |
| hp | envy_photo_7830_y0g50b | - |
| hp | envy_photo_7822_y0g42d | - |
| hp | envy_5546_k7c90a | - |
| hp | envy_5540_g0v52a | - |
| hp | envy_111_cq810a | - |
| hp | hp_envy_4522_f0v67a | - |
| hp | envy_photo_6252_k7g22a | - |
| hp | hp_officejet_4657_v6d29b | - |
| hp | hp_deskjet_ink_advantage_4678_f1h99b | - |
TP-LINK NC200 devices through 2.1.10 build 200401, NC210 devices through 1.0.10 build 200401, NC220 devices through 1.3.1 build 200401, NC230 devices through 1.3.1 build 200401, NC250 devices through 1.3.1 build 200401, NC260 devices through 1.5.3 build_200401, and NC450 devices through 1.5.4 build 200401 have a Buffer Overflow
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-120,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | nc200_firmware | * |
| tp-link | nc250_firmware | * |
| tp-link | nc230_firmware | * |
| tp-link | nc210_firmware | * |
| tp-link | nc450_firmware | * |
| tp-link | nc220_firmware | * |
| tp-link | nc260_firmware | * |
On TP-Link TL-WR740N v4 and TL-WR740ND v4 devices, an attacker with access to the admin panel can inject HTML code and change the HTML context of the target pages and stations in the access-control settings via targets_lists_name or hosts_lists_name. The vulnerability can also be exploited through a CSRF, requiring no authentication as an administrator.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 4.8 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N | 1.7 | 2.7 |
CVSS 2.0
Severity: LOW
Problem Type: CWE-79,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr740n_firmware | - |
| tp-link | tl-wr740nd_firmware | - |
TP-Link USB Network Server TL-PS310U devices before 2.079.000.t0210 allow an attacker on the same network to elevate privileges because the administrative password can be discovered by sniffing unencrypted UDP traffic.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
CVSS 2.0
Severity: LOW
Problem Type: CWE-319,CWE-522,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-ps310u_firmware | * |
TP-Link USB Network Server TL-PS310U devices before 2.079.000.t0210 allow an attacker on the same network to bypass authentication via a web-administration request that lacks a password parameter.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-287,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-ps310u_firmware | * |
TP-Link USB Network Server TL-PS310U devices before 2.079.000.t0210 allow an attacker on the same network to conduct persistent XSS attacks by leveraging administrative privileges to set a crafted server name.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 4.3 | MEDIUM | CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N | 1.2 | 2.7 |
CVSS 2.0
Severity: LOW
Problem Type: CWE-79,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-ps310u_firmware | * |
TP-Link USB Network Server TL-PS310U devices before 2.079.000.t0210 allow an attacker on the same network to denial-of-service the device via long input values.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.5 | MEDIUM | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 2.8 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-ps310u_firmware | * |
TP-Link Archer C1200 firmware version 1.13 Build 2018/01/24 rel.52299 EU has a XSS vulnerability allowing a remote attacker to execute arbitrary code.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.1 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | 2.8 | 2.7 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-79,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | archer_c1200_firmware | 1.13 |
httpd on TP-Link TL-WPA4220 devices (versions 2 through 4) allows remote authenticated users to execute arbitrary OS commands by sending crafted POST requests to the endpoint /admin/powerline. Fixed version: TL-WPA4220(EU)_V4_201023
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-78,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wpa4220_firmware | * |
TP-Link TL-WA855RE V5 20200415-rel37464 devices allow an unauthenticated attacker (on the same network) to submit a TDDP_RESET POST request for a factory reset and reboot. The attacker can then obtain incorrect access control by setting a new administrative password.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-306,CWE-306,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wa855re_firmware | * |
| tp-link | tl-wa855re_firmware | 20200415 |
httpd on TP-Link TL-WPA4220 devices (hardware versions 2 through 4) allows remote authenticated users to trigger a buffer overflow (causing a denial of service) by sending a POST request to the /admin/syslog endpoint. Fixed version: TL-WPA4220(EU)_V4_201023
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H | 2.8 | 3.6 |
CVSS 2.0
Severity: LOW
Problem Type: CWE-120,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wpa4220_firmware | * |
tdpServer on TP-Link Archer A7 AC1750 devices before 201029 allows remote attackers to execute arbitrary code via the slave_mac parameter. NOTE: this issue exists because of an incomplete fix for CVE-2020-10882 in which shell quotes are mishandled.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-78,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | ac1750_firmware | * |
Buffer overflow in in the copy_msg_element function for the devDiscoverHandle server in the TP-Link WR and WDR series, including WDR7400, WDR7500, WDR7660, WDR7800, WDR8400, WDR8500, WDR8600, WDR8620, WDR8640, WDR8660, WR880N, WR886N, WR890N, WR890N, WR882N, and WR708N.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-120,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | wdr8640_firmware | - |
| tp-link | wdr8620_firmware | - |
| tp-link | wdr7660_firmware | - |
| tp-link | wr886n_firmware | - |
| tp-link | wdr7500_firmware | - |
| tp-link | wdr8500_firmware | - |
| tp-link | wdr8400_firmware | - |
| tp-link | wdr8660_firmware | - |
| tp-link | wdr7400_firmware | - |
| tp-link | wr880n_firmware | - |
| tp-link | wr882n_firmware | - |
| tp-link | wr890n_firmware | - |
| tp-link | wr708n_firmware | - |
| tp-link | wdr8600_firmware | - |
| tp-link | wdr7800_firmware | - |
A password-disclosure issue in the web interface on certain TP-Link devices allows a remote attacker to get full administrative access to the web panel. This affects WA901ND devices before 3.16.9(201211) beta, and Archer C5, Archer C7, MR3420, MR6400, WA701ND, WA801ND, WDR3500, WDR3600, WE843N, WR1043ND, WR1045ND, WR740N, WR741ND, WR749N, WR802N, WR840N, WR841HP, WR841N, WR842N, WR842ND, WR845N, WR940N, WR941HP, WR945N, WR949N, and WRD4300 devices.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | wr842nd_firmware | - |
| tp-link | mr6400_firmware | - |
| tp-link | wa701nd_firmware | - |
| tp-link | archer_c7_firmware | - |
| tp-link | wr1043nd_firmware | - |
| tp-link | wr842n_firmware | - |
| tp-link | wr940n_firmware | - |
| tp-link | wa901nd_firmware | * |
| tp-link | wr841hp_firmware | - |
| tp-link | wr1045nd_firmware | - |
| tp-link | wr841n_firmware | - |
| tp-link | wr949n_firmware | - |
| tp-link | wrd4300_firmware | - |
| tp-link | wr741nd_firmware | - |
| tp-link | wr845n_firmware | - |
| tp-link | wr749n_firmware | - |
| tp-link | we843n_firmware | - |
| tp-link | wdr3500_firmware | - |
| tp-link | wdr3600_firmware | - |
| tp-link | mr3420_firmware | - |
| tp-link | wr740n_firmware | - |
| tp-link | wr945n_firmware | - |
| tp-link | archer_c5_firmware | - |
| tp-link | wa801nd_firmware | - |
| tp-link | wr840n_firmware | - |
| tp-link | wr802n_firmware | - |
| tp-link | wr941hp_firmware | - |
A Command Injection issue in the traceroute feature on TP-Link TL-WR841N V13 (JP) with firmware versions prior to 201216 allows authenticated users to execute arbitrary code as root via shell metacharacters, a different vulnerability than CVE-2018-12577.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-78,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr841n_firmware | * |
oal_ipt_addBridgeIsolationRules on TP-Link TL-WR840N 6_EU_0.9.1_4.16 devices allows OS command injection because a raw string entered from the web interface (an IP address field) is used directly for a call to the system library function (for iptables). NOTE: oal_ipt_addBridgeIsolationRules is not the only function that calls util_execSystem.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-78,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr840n_firmware | 6_eu_0.9.1_4.16 |
UNIX Symbolic Link (Symlink) Following in TP-Link Archer A7(US)_V5_200721 allows an authenticated admin user, with physical access and network access, to execute arbitrary code after plugging a crafted USB drive into the router.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.2 | MEDIUM | CVSS:3.1/AV:P/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H | 0.3 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-59,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | archer_a7_firmware | 200721 |
UNIX Symbolic Link (Symlink) Following in TP-Link Archer C9(US)_V1_180125 firmware allows an unauthenticated actor, with physical access and network access, to read sensitive files and write to a limited set of files after plugging a crafted USB drive into the router.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.1 | MEDIUM | CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N | 0.9 | 5.2 |
CVSS 2.0
Severity: LOW
Problem Type: CWE-59,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | archer_c9_firmware | 180125 |
A buffer overflow in the httpd daemon on TP-Link TL-WR841N V10 (firmware version 3.16.9) devices allows an authenticated remote attacker to execute arbitrary code via a GET request to the page for the configuration of the Wi-Fi network.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.2 | HIGH | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H | 1.2 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-120,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr841n_firmware | 3.16.9 |
On TP-Link TL-WR849N 0.9.1 4.16 devices, a remote command execution vulnerability in the diagnostics area can be exploited when an attacker sends specific shell metacharacters to the panel's traceroute feature.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-78,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr849n_firmware | 0.9.1_4.16 |
TP-Link Archer C50 V3 devices before Build 200318 Rel. 62209 allows remote attackers to cause a denial of service via a crafted HTTP Header containing an unexpected Referer field.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-772,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | archer_c50 | build_200318 |
| tp-link | archer_c50 | build_170822 |
| tp-link | archer_c50 | build_171227 |
Buffer Overflow in TP-Link WR2041 v1 firmware for the TL-WR2041+ router allows remote attackers to cause a Denial-of-Service (DoS) by sending an HTTP request with a very long "ssid" parameter to the "/userRpm/popupSiteSurveyRpm.html" webpage, which crashes the router.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-120,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr2041+_firmware | - |
In the management interface on TP-Link Archer C5v 1.7_181221 devices, credentials are sent in a base64 format over cleartext HTTP.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.1 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N | 1.8 | 5.2 |
CVSS 2.0
Severity: LOW
Problem Type: CWE-319,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | archer_c5v_firmware | 1.7_181221 |
TP-Link Archer C5v 1.7_181221 devices allows remote attackers to retrieve cleartext credentials via [USER_CFG#0,0,0,0,0,0#0,0,0,0,0,0]0,0 to the /cgi?1&5 URI.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N | 2.8 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-312,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | archer_c5v_firmware | 1.7_181221 |
This vulnerability allows a firewall bypass on affected installations of TP-Link Archer A7 prior to Archer C7(US)_V5_210125 and Archer A7(US)_V5_200220 AC1750 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of IPv6 connections. The issue results from the lack of proper filtering of IPv6 SSH connections. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of root. Was ZDI-CAN-12309.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.1 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H | 2.2 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-693,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | archer_a7_firmware | * |
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of TP-Link Archer A7 AC1750 1.0.15 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of MAC addresses by the tdpServer endpoint. A crafted TCP message can write stack pointers to the stack. An attacker can leverage this vulnerability to execute code in the context of the root user. Was ZDI-CAN-12306.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.0 | HIGH | CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | 2.1 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-121,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | ac1750_firmware | 1.0.15 |
TP-Link's TL-WPA4220 4.0.2 Build 20180308 Rel.37064 username and password are sent via the cookie.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | 3.9 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-522,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wpa4220_firmware | 4.0.2 |
TP-Link's TL-WPA4220 4.0.2 Build 20180308 Rel.37064 does not use SSL by default. Attacker on the local network can monitor traffic and capture the cookie and other sensitive information.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N | 1.8 | 3.6 |
CVSS 2.0
Severity: LOW
Problem Type: CWE-312,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wpa4220_firmware | 4.0.2 |
In TP-Link Wireless N Router WR840N an ARP poisoning attack can cause buffer overflow
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.4 | MEDIUM | CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H | 1.2 | 5.2 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-668,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr840n_firmware | - |
TP-Link TL-WR802N(US), Archer_C50v5_US v4_200 <= 2020.06 contains a buffer overflow vulnerability in the httpd process in the body message. The attack vector is: The attacker can get shell of the router by sending a message through the network, which may lead to remote code execution.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.1 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H | 2.2 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-120,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr802n_firmware | * |
In TP-Link TL-XDR3230 < 1.0.12, TL-XDR1850 < 1.0.9, TL-XDR1860 < 1.0.14, TL-XDR3250 < 1.0.2, TL-XDR6060 Turbo < 1.1.8, TL-XDR5430 < 1.0.11, and possibly others, when IPv6 is used, a routing loop can occur that generates excessive network traffic between an affected device and its upstream ISP's router. This occurs when a link prefix route points to a point-to-point link, a destination IPv6 address belongs to the prefix and is not a local IPv6 address, and a router advertisement is received with at least one global unique IPv6 prefix for which the on-link flag is set.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-834,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-xdr3250_firmware | * |
| tp-link | tl-xdr3230_firmware | * |
| tp-link | tl-xdr1850_firmware | * |
| tp-link | tl-xdr5430_firmware | * |
| tp-link | tl-xdr6060_firmware | * |
| tp-link | tl-xdr1860_firmware | * |
TP-Link TL-SG2005, TL-SG2008, etc. 1.0.0 Build 20180529 Rel.40524 is affected by an Array index error. The interface that provides the "device description" function only judges the length of the received data, and does not filter special characters. This vulnerability will cause the application to crash, and all device configuration information will be erased.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.1 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H | 2.8 | 5.2 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-129,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-sg2005_firmware | 1.0.0 |
| tp-link | tl-sg2008_firmware | 1.0.0 |
TP-Link TL-SG2005, TL-SG2008, etc. 1.0.0 Build 20180529 Rel.40524 is vulnerable to Cross Site Request Forgery (CSRF). All configuration information is placed in the URL, without any additional token authentication information. A malicious link opened by the switch administrator may cause the password of the switch to be modified and the configuration file to be tampered with.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-352,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-sg2005_firmware | 1.0.0 |
| tp-link | tl-sg2008_firmware | 1.0.0 |
Unauthenticated stored cross-site scripting (XSS) exists in multiple TP-Link products including WIFI Routers (Wireless AC routers), Access Points, ADSL + DSL Gateways and Routers, which affects TD-W9977v1, TL-WA801NDv5, TL-WA801Nv6, TL-WA802Nv5, and Archer C3150v2 devices through the improper validation of the hostname. Some of the pages including dhcp.htm, networkMap.htm, dhcpClient.htm, qsEdit.htm, and qsReview.htm and use this vulnerable hostname function (setDefaultHostname()) without sanitization.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.1 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | 2.8 | 2.7 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-79,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | td-w9977_firmware | v1_0.1.0_0.9.1_up_boot(161123)_2016-11-23_15.36.15 |
| tp-link | tl-wa801nd_firmware | v5_us_0.9.1_3.16_up_boot[170905-rel56404] |
| tp-link | tl-wa801n_firmware | v6_eu_0.9.1_3.16_up_boot[200116-rel61815] |
| tp-link | archer-c3150_firmware | v2_170926 |
| tp-link | tl-wr802n_firmware | v4_us_0.9.1_3.17_up_boot[200421-rel38950] |
This vulnerability allows remote attackers to execute arbitrary code on affected installations of TP-Link Archer C90 1.0.6 Build 20200114 rel.73164(5553) routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of DNS responses. A crafted DNS message can trigger an overflow of a fixed-length, stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-14655.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-121,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | archer_c90_firmware | 1.0.6 |
This vulnerability allows remote attackers to execute arbitrary code on affected installations of TP-Link TL-WA1201 1.0.1 Build 20200709 rel.66244(5553) wireless access points. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of DNS responses. A crafted DNS message can trigger an overflow of a fixed-length, stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-14656.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-121,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wa1201_firmware | 1.0.1 |
An issue was discovered in function httpProcDataSrv in TL-WDR7660 2.0.30 that allows attackers to execute arbitrary code.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wdr7660_firmware | 2.0.30 |
TP-Link UE330 USB splitter devices through 2021-08-09, in certain specific use cases in which the device supplies power to audio-output equipment, allow remote attackers to recover speech signals from an LED on the device, via a telescope and an electro-optical sensor, aka a "Glowworm" attack. We assume that the USB splitter supplies power to some speakers. The power indicator LED of the USB splitter is connected directly to the power line, as a result, the intensity of the USB splitter's power indicator LED is correlative to its power consumption. The sound played by the connected speakers affects the USB splitter's power consumption and as a result is also correlative to the light intensity of the LED. By analyzing measurements obtained from an electro-optical sensor directed at the power indicator LED of the USB splitter, we can recover the sound played by the connected speakers.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.9 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N | 2.2 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | ue330_firmware | * |
A denial-of-service attack in WPA2, and WPA3-SAE authentication methods in TP-Link AX10v1 before V1_211014, allows a remote unauthenticated attacker to disconnect an already connected wireless client via sending with a wireless adapter specific spoofed authentication frames
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-290,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | archer_ax10_firmware | * |
TP-Link Tapo C200 IP camera, on its 1.1.15 firmware version and below, is affected by an unauthenticated RCE vulnerability, present in the uhttpd binary running by default as root. The exploitation of this vulnerability allows an attacker to take full control of the camera.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
| cve-coordination@incibe.es | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-77,CWE-77,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tapo_c200_firmware | * |
TP-Link wifi router TL-WR802N V4(JP), with firmware version prior to 211202, is vulnerable to OS command injection.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-78,CWE-78,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr802n_firmware | * |
An HTTP request smuggling attack in TP-Link AX10v1 before v1_211117 allows a remote unauthenticated attacker to DoS the web application via sending a specific HTTP packet.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-444,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | archer_ax10_v1_firmware | * |
A misconfiguration in HTTP/1.0 and HTTP/1.1 of the web interface in TP-Link AX10v1 before V1_211117 allows a remote unauthenticated attacker to send a specially crafted HTTP request and receive a misconfigured HTTP/0.9 response, potentially leading into a cache poisoning attack.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-444,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | archer_ax10_firmware | * |
The PING function on the TP-Link TL-WR840N EU v5 router with firmware through TL-WR840N(EU)_V5_171211 is vulnerable to remote code execution via a crafted payload in an IP address input field.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-94,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr840n_firmware | * |
TP-Link Archer A7 Archer A7(US)_V5_210519 is affected by a command injection vulnerability in /usr/bin/tddp. The vulnerability is caused by the program taking part of the received data packet as part of the command. This will cause an attacker to execute arbitrary commands on the router.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | archer_a7_firmware | 210519 |
TP-Link Omada SDN Software Controller before 5.0.15 does not check if the authentication method specified in a connection request is allowed. An attacker can bypass the captive portal authentication process by using the downgraded "no authentication" method, and access the protected network. For example, the attacker can simply set window.authType=0 in client-side JavaScript.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N | 3.9 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | omada_software_controller | * |
A Buffer Overflow vulnerability exists in TP-LINK WR-886N 20190826 2.3.8 in the /cloud_config/router_post/check_reg_verify_code function which could let a remove malicious user execute arbitrary code via a crafted post request.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-120,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr886n_firmware | 20190826_2.3.8 |
A Buffer Overflow vulnerability exists in TP-LINK WR-886N 20190826 2.3.8 via the /cloud_config/router_post/check_reset_pwd_verify_code interface.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-120,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr886n_firmware | 20190826_2.3.8 |
A Buffer Overflow vulnerability exists in TP-LINK WR-886N 20190826 2.3.8 in /cloud_config/cloud_device/info interface, which allows a malicious user to executee arbitrary code on the system via a crafted post request.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-120,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr886n_firmware | 20190826_2.3.8 |
A Buffer Overflow vulnerability exists in TP-LINK WR-886N 20190826 2.3.8 in the /cloud_config/router_post/get_reg_verify_code feature, which allows malicious users to execute arbitrary code on the system via a crafted post request.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-120,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr886n_firmware | 20190826_2.3.8 |
A Buffer Overflow vulnerability exists in TP-LINK WR-886N 20190826 2.3.8 in the /cloud_config/router_post/get_reset_pwd_veirfy_code feature, which allows malicious users to execute arbitrary code on the system via a crafted post request.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-120,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr886n_firmware | 20190826_2.3.8 |
A Buffer Overflow vulnerabiltiy exists in TP-LINK WR-886N 20190826 2.3.8 in thee /cloud_config/router_post/login feature, which allows malicious users to execute arbitrary code on the system via a crafted post request.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-120,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr886n_firmware | 20190826_2.3.8 |
A Buffer Overflow vulnerabilitiy exists in TP-LINK WR-886N 20190826 2.3.8 in the /cloud_config/router_post/register feature, which allows malicious users to execute arbitrary code on the system via a crafted post request.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-120,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr886n_firmware | 20190826_2.3.8 |
A Buffer Overflow vulnerability exists in TP-LINK WR-886N 20190826 2.3.8 in the /cloud_config/router_post/modify_account_pwd feature, which allows malicious users to execute arbitrary code on the system via a crafted post request.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-120,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr886n_firmware | 20190826_2.3.8 |
A Buffer Overflow vulnerability exists in TP-LINK WR-886N 20190826 2.3.8 in the /cloud_config/router_post/reset_cloud_pwd feature, which allows malicous users to execute arbitrary code on the system via a crafted post request.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-120,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr886n_firmware | 20190826_2.3.8 |
A Buffer Overflow vulnerability exists in TP-LINK WR-886N 20190826 2.3.8 in the /cloud_config/router_post/upgrade_info feature, which allows malicious users to execute arbitrary code on the system via a crafted post request.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-120,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr886n_firmware | 20190826_2.3.8 |
There is remote authenticated OS command injection on TP-Link Archer C20i 0.9.1 3.2 v003a.0 Build 170221 Rel.55462n devices vie the X_TP_ExternalIPv6Address HTTP parameter, allowing a remote attacker to run arbitrary commands on the router with root privileges.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-78,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | archer_c20i_firmware | * |
TP-Link WR886N 3.0 1.0.1 Build 150127 Rel.34123n is vulnerable to Buffer Overflow. Authenticated attackers can crash router httpd services via /userRpm/PingIframeRpm.htm request which contains redundant & in parameter.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H | 2.8 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-120,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | wn886n_firmware | 1.0.1 |
Tp-Link TL-WR840N (EU) v6.20 Firmware (0.9.1 4.17 v0001.0 Build 201124 Rel.64328n) is vulnerable to Buffer Overflow via the Password reset feature.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.2 | HIGH | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H | 1.2 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-120,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr840n_firmware | 0.9.1_4.17_v0001.0 |
The vulnerability exists in TP-Link TL-WR841N V11 3.16.9 Build 160325 Rel.62500n wireless router due to transmission of authentication information in cleartextbase64 format. Successful exploitation of this vulnerability could allow a remote attacker to intercept credentials and subsequently perform administrative operations on the affected device through web-based management interface.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| vdisclose@cert-in.org.in | 8.4 | HIGH | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 2.5 | 5.9 |
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-319,CWE-319,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr841n_firmware | 3.16.9 |
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of TP-Link TL-WR940N 3.20.1 Build 200316 Rel.34392n (5553) routers. Authentication is required to exploit this vulnerability. The specific flaw exists within the httpd service, which listens on TCP port 80 by default. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-13993.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.0 | HIGH | CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 2.1 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr940n_firmware | * |
TP-Link TL-WA850RE Wi-Fi Range Extender before v6_200923 was discovered to use highly predictable and easily detectable session keys, allowing attackers to gain administrative privileges.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-330,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wa850re_firmware | * |
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of TP-Link AC1750 prior to 211210 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the NetUSB.ko kernel module. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-15773.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | ac1750_firmware | * |
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of TP-Link AC1750 1.1.4 Build 20211022 rel.59103(5553) routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the NetUSB.ko module. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the root user. Was ZDI-CAN-15769.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | ac1750_firmware | * |
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of TP-Link AC1750 prior to 1.1.4 Build 20211022 rel.59103(5553) routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the NetUSB.ko module. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before allocating a buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-15835.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-190,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | ac1750_firmware | * |
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of TP-Link TL-WR940N 3.20.1 Build 200316 Rel.34392n (5553) routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the parsing of file name extensions. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-13910.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-121,CWE-787,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr940n_firmware | * |
This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of TP-Link TL-WR940N 3.20.1 Build 200316 Rel.34392n (5553) routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the httpd service, which listens on TCP port 80 by default. The issue results from the lack of proper access control. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-13911.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.5 | MEDIUM | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | 2.8 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr940n_firmware | 3.20.1 |
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of TP-Link TL-WR940N 3.20.1 Build 200316 Rel.34392n (5553) routers. Authentication is required to exploit this vulnerability. The specific flaw exists within the httpd service, which listens on TCP port 80 by default. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-13992.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.0 | HIGH | CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 2.1 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr940n_firmware | 3.20.1 |
TP-LINK TL-WR840N(ES)_V6.20_180709 was discovered to contain a command injection vulnerability via the component oal_startPing.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-78,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr840n_firmware | 6.20_180709 |
TP-LINK TL-WR840N(ES)_V6.20_180709 was discovered to contain a command injection vulnerability via the component oal_setIp6DefaultRoute.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-78,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr840n_firmware | 6.20_180709 |
TP-LINK TL-WR840N(ES)_V6.20_180709 was discovered to contain an integer overflow via the function dm_checkString. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted HTTP request.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-190,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr840n_firmware | 6.20_180709 |
TP-LINK TL-WR840N(ES)_V6.20_180709 was discovered to contain a remote code execution (RCE) vulnerability via the function oal_wan6_setIpAddr.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-78,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr840n_firmware | 6.20_180709 |
TP-Link Archer A54 Archer A54(US)_V1_210111 routers were discovered to contain a stack overflow in the function DM_ Fillobjbystr(). This vulnerability allows unauthenticated attackers to execute arbitrary code.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-787,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | archer_a54_firmware | 210111 |
TL-WR841Nv14_US_0.9.1_4.18 routers were discovered to contain a stack overflow in the function dm_fillObjByStr(). This vulnerability allows unauthenticated attackers to execute arbitrary code.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-787,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr841n_firmware | 0.9.1_4.18 |
TP-Link TL-WR902AC(US)_V3_191209 routers were discovered to contain a stack overflow in the function DM_ Fillobjbystr(). This vulnerability allows unauthenticated attackers to execute arbitrary code.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-787,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr902ac_firmware | 191209 |
TP-LINK TL-WR840N(ES)_V6.20 was discovered to contain a buffer overflow via the DNSServers parameter.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.2 | HIGH | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H | 1.2 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-120,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr840n_firmware | 0.9.1.4.16 |
TP-LINK TL-WR840N(ES)_V6.20 was discovered to contain a buffer overflow via the minAddress parameter.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.2 | HIGH | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H | 1.2 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-120,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr840n_firmware | 0.9.1.4.16 |
TP-LINK TL-WR840N(ES)_V6.20 was discovered to contain a buffer overflow via the httpRemotePort parameter.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.2 | HIGH | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H | 1.2 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-120,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr840n_firmware | 0.9.1.4.16 |
TP-LINK TL-WR840N(ES)_V6.20 was discovered to contain a buffer overflow via the X_TP_ClonedMACAddress parameter.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.2 | HIGH | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H | 1.2 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-120,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr840n_firmware | 0.9.1.4.16 |
TP-Link TL-WDR7660 2.0.30, Mercury D196G 20200109_2.0.4, and Fast FAC1900R 20190827_2.0.2 routers have a stack overflow issue in `MmtAtePrase` function. Local users could get remote code execution.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 1.8 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-787,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wdr5660_firmware | - |
| tp-link | tl-wdr7661_firmware | - |
| tp-link | tl-wdr7660_firmware | 2.0.30 |
| mercusys | mercury_d196g_firmware | 20200109_2.0.4 |
| tp-link | tl-wdr7620_firmware | - |
| fastcom | fac1900r_firmware | 20190827_2.0.2 |
TP-Link TL-WDR7660 2.0.30, Mercury D196G 20200109_2.0.4, and Fast FAC1900R 20190827_2.0.2 routers have a stack overflow issue in `MntAte` function. Local users could get remote code execution.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 1.8 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-787,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wdr5660_firmware | - |
| tp-link | tl-wdr7661_firmware | - |
| tp-link | tl-wdr7660_firmware | 2.0.30 |
| mercusys | mercury_d196g_firmware | 20200109_2.0.4 |
| tp-link | tl-wdr7620_firmware | - |
| fastcom | fac1900r_firmware | 20190827_2.0.2 |
TP-Link TL-WR840N EU v6.20 was discovered to contain insecure protections for its UART console. This vulnerability allows attackers to connect to the UART port via a serial connection and execute commands as the root user without authentication.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| cve@mitre.org | 6.8 | MEDIUM | CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 0.9 | 5.9 |
| nvd@nist.gov | 6.8 | MEDIUM | CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 0.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-306,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr840n_firmware | - |
A buffer overflow in the httpd daemon on TP-Link TL-WR841N V12 (firmware version 3.16.9) devices allows an authenticated remote attacker to execute arbitrary code via a GET request to the page for the System Tools of the Wi-Fi network. This affects TL-WR841 V12 TL-WR841N(EU)_V12_160624 and TL-WR841 V11 TL-WR841N(EU)_V11_160325 , TL-WR841N_V11_150616 and TL-WR841 V10 TL-WR841N_V10_150310 are also affected.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr841n_firmware | 150310 |
| tp-link | tl-wr841n(eu)_firmware | 160325 |
| tp-link | tl-wr841n_firmware | 150616 |
| tp-link | tl-wr841n_firmware | 3.16.9 |
| tp-link | tl-wr841_firmware | - |
In TP-Link Router AX50 firmware 210730 and older, import of a malicious backup file via web interface can lead to remote code execution due to improper validation.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | archer_ax50_firmware | * |
An infinite loop in the function httpRpmPass of TP-Link TL-WR741N/TL-WR742N V1/V2/V3_130415 allows attackers to cause a Denial of Service (DoS) via a crafted packet.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-835,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr742n_firmware | - |
| tp-link | tl-wr742n_firmware | v3_130415 |
| tp-link | tl-wr741n_firmware | v3_130415 |
| tp-link | tl-wr741n_firmware | - |
A stack overflow in the function DM_ In fillobjbystr() of TP-Link Archer C50&A5(US)_V5_200407 allows attackers to cause a Denial of Service (DoS) via a crafted HTTP request.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-787,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | archer_c50_firmware | c50&a5(us)_v5_200407 |
| tp-link | archer_a5_firmware | c50&a5(us)_v5_200407 |
TP-LINK TL-R473G 2.0.1 Build 220529 Rel.65574n was discovered to contain a remote code execution vulnerability which is exploited via a crafted packet.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-r473g_firmware | 2.0.1 |
TP-Link Tapo C310 1.3.0 devices allow access to the RTSP video feed via credentials of User --- and Password TPL075526460603.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tapo_c310_firmware | 1.3.0 |
The web configuration interface of the TP-Link M7350 V3 with firmware version 190531 is affected by a pre-authentication command injection vulnerability.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | m7350_firmware | 190531 |
TP Link Archer AX10 V1 Firmware Version 1.3.1 Build 20220401 Rel. 57450(5553) was discovered to allow authenticated attackers to execute arbitrary code via a crafted backup file.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | archer_ax10_v1_firmware | 1.3.1 |
An access control issue on TP-LInk Tapo C200 V1 devices allows physically proximate attackers to obtain root access by connecting to the UART pins, interrupting the boot process, and setting an init=/bin/sh value.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tapo_c200_v1_firmware | - |
The web app client of TP-Link AX10v1 V1_211117 uses hard-coded cryptographic keys when communicating with the router. Attackers who are able to intercept the communications between the web client and router through a man-in-the-middle attack can then obtain the sequence key via a brute-force attack, and access sensitive information.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.9 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N | 2.2 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | ax10_firmware | v1_211117 |
TP-Link AX10v1 V1_211117 allows attackers to execute a replay attack by using a previously transmitted encrypted authentication message and valid authentication token. Attackers are able to login to the web application as an admin user.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.1 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H | 2.2 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | ax10_firmware | v1_211117 |
tdpServer of TP-Link RE300 V1 improperly processes its input, which may allow an attacker to cause a denial-of-service (DoS) condition of the product's OneMesh function.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | re3000_firmware | * |
TP-Link TL-WR841N 8.0 4.17.16 Build 120201 Rel.54750n is vulnerable to Cross Site Scripting (XSS).
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.1 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | 2.8 | 2.7 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr841n_firmware | 4.17.16_build_120201_rel.54750n |
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of TP-Link TL-WR841N TL-WR841N(US)_V14_220121 routers. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the ated_tp service. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-17356.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.0 | HIGH | CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 2.1 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr841_firmware | * |
A vulnerability classified as problematic has been found in TP-Link TL-WR740N. Affected is an unknown function of the component ARP Handler. The manipulation leads to resource consumption. The attack needs to be done within the local network. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-214812.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr740n_firmware | - |
This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of TP-Link TL-WR940N 6_211111 3.20.1(US) routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the httpd service, which listens on TCP port 80 by default. The issue results from the incorrect implementation of the authentication algorithm. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-17332.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.5 | MEDIUM | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | 2.8 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr940n_firmware | 6_211111_3.20.1 |
This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of TP-Link TL-WR940N 6_211111 3.20.1(US) routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the httpd service, which listens on TCP port 80 by default. The issue results from the lack of sufficient randomness in the sequnce numbers used for session managment. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-18334.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr940n_firmware | 6_211111_3.20.1 |
In TP-Link routers, Archer C5 and WR710N-V1, running the latest available code, when receiving HTTP Basic Authentication the httpd service can be sent a crafted packet that causes a heap overflow. This can result in either a DoS (by crashing the httpd process) or an arbitrary code execution.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | archer_c5_firmware | 2_160201_us |
| tp-link | tl-wr710n_firmware | 1_151022_us |
TP-Link routers, Archer C5 and WR710N-V1, using the latest software, the strcmp function used for checking credentials in httpd, is susceptible to a side-channel attack. By measuring the response time of the httpd process, an attacker could guess each byte of the username and password.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | archer_c5_firmware | 2_160201_us |
| tp-link | tl-wr710n_firmware | 1_151022_us |
TP-Link TL-WR940N V4 3.16.9 and earlier allows authenticated attackers to cause a Denial of Service (DoS) via uploading a crafted firmware image during the firmware update process.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr940n_v4_firmware | * |
TP-Link TL-WR1043ND V1 3.13.15 and earlier allows authenticated attackers to execute arbitrary code or cause a Denial of Service (DoS) via uploading a crafted firmware image during the firmware update process.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr1043nd_v1_firmware | * |
TP-Link TL-WR740N V1 and V2 v3.12.4 and earlier allows authenticated attackers to execute arbitrary code or cause a Denial of Service (DoS) via uploading a crafted firmware image during the firmware update process.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr741nd_v2_firmware | * |
| tp-link | tl-wr740n_v1_firmware | * |
| tp-link | tl-wr740n_v2_firmware | * |
| tp-link | tl-wr741nd_v1_firmware | * |
An exploitable firmware modification vulnerability was discovered on TP-Link TL-WR743ND V1. An attacker can conduct a MITM (Man-in-the-Middle) attack to modify the user-uploaded firmware image and bypass the CRC check, allowing attackers to execute arbitrary code or cause a Denial of Service (DoS). This affects v3.12.20 and earlier.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr743nd_v1_firmware | * |
An issue in the firmware update process of TP-Link TL-WA7510N v1 v3.12.6 and earlier allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via uploading a crafted firmware image.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wa7510n_v1_firmware | * |
An issue in the firmware update process of TP-Link TL-WR941ND V2/V3 up to 3.13.9 and TL-WR941ND V4 up to 3.12.8 allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via uploading a crafted firmware image.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr941nd_v4_firmware | * |
| tp-link | tl-wr941nd_v3_firmware | * |
| tp-link | tl-wr941nd_v2_firmware | * |
An issue in the firmware update process of TP-Link TL-WA901ND V1 up to v3.11.2 and TL-WA901N V2 up to v3.12.16 allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via uploading a crafted firmware image.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wa901n_firmware | * |
| tp-link | tl-wa901nd_v2_firmware | * |
| tp-link | tl-wa901nd_v1_firmware | * |
An issue in the firmware update process of TP-Link TL-WR841N / TL-WA841ND V7 3.13.9 and earlier allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via uploading a crafted firmware image.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr841nd_v7_firmware | * |
| tp-link | tl-wr841n_firmware | * |
An issue in the firmware update process of TP-LINK TL-WA801N / TL-WA801ND V1 v3.12.16 and earlier allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via uploading a crafted firmware image.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wa801n_firmware | * |
| tp-link | tl-wa801nd_v1_firmware | * |
TP-Link TL-WR902AC devices through V3 0.9.1 allow remote authenticated attackers to execute arbitrary code or cause a Denial of Service (DoS) by uploading a crafted firmware update because the signature check is inadequate.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr902ac_firmware | * |
A vulnerability was found in TP-Link Archer C50 V2_160801. It has been rated as problematic. Affected by this issue is some unknown functionality of the component Web Management Interface. The manipulation leads to denial of service. The attack can only be initiated within the local network. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-221552.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.5 | MEDIUM | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 2.8 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-404,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | archer_c50 | v2_160801 |
TP-Link Archer AX21 (AX1800) firmware versions before 1.1.4 Build 20230219 contained a command injection vulnerability in the country form of the /cgi-bin/luci;stok=/locale endpoint on the web management interface. Specifically, the country parameter of the write operation was not sanitized before being used in a call to popen(), allowing an unauthenticated attacker to inject commands, which would be run as root, with a simple POST request.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | archer_ax21_firmware | * |
TP-Link SG105PE firmware prior to 'TL-SG105PE(UN) 1.0_1.0.0 Build 20221208' contains an authentication bypass vulnerability. Under the certain conditions, an attacker may impersonate an administrator of the product. As a result, information may be obtained and/or the product's settings may be altered with the privilege of the administrator.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-sg105pe_firmware | 1.0.0 |
TP-Link router TL-WR940N V6 3.19.1 Build 180119 uses a deprecated MD5 algorithm to hash the admin password used for basic authentication.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | 3.9 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr940n_firmware | 6_3.19.1 |
A vulnerability has been found in TP-Link Archer C7v2 v2_en_us_180114 and classified as problematic. Affected by this vulnerability is an unknown functionality of the component GET Request Parameter Handler. The manipulation leads to denial of service. The attack can only be done within the local network. The associated identifier of this vulnerability is VDB-228775. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-404,NVD-CWE-noinfo,CWE-404,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | archer_c7_firmware | 180114 |
A command injection issue was found in TP-Link MR3020 v.1_150921 that allows a remote attacker to execute arbitrary commands via a crafted request to the tftp endpoint.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-mr3020_firmware | 1.0 |
TP-Link Tapo APK up to v2.12.703 uses hardcoded credentials for access to the login panel.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | 3.9 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tapo | * |
The AES Key-IV pair used by the TP-Link TAPO C200 camera V3 (EU) on firmware version 1.1.22 Build 220725 is reused across all cameras. An attacker with physical access to a camera is able to extract and decrypt sensitive data containing the Wifi password and the TP-LINK account credential of the victim.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tapo_c200_firmware | 1.2.2 |
TP-Link Archer AX21 tdpServer Logging Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of TP-Link Archer AX21 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the logging functionality of the tdpServer program, which listens on UDP port 20002. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. . Was ZDI-CAN-19898.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | archer_ax21_firmware | 1.1.3 |
TP-Link Archer AX21 tmpServer Command 0x422 Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of TP-Link Archer AX21 routers. Authentication is required to exploit this vulnerability. The specific flaw exists within the handling of command 0x422 provided to the tmpServer service. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. . Was ZDI-CAN-19905.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | archer_ax21_firmware | 1.1.3 |
TP-Link AX1800 Firmware Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of TP-Link AX1800 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the parsing of firmware images. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. . Was ZDI-CAN-19703.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | archer_ax21_firmware | 1.1.1 |
TP-Link AX1800 hotplugd Firewall Rule Race Condition Vulnerability. This vulnerability allows remote attackers to gain access to LAN-side services on affected installations of TP-Link Archer AX21 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the hotplugd daemon. The issue results from firewall rule handling that allows an attacker access to resources that should be available to the LAN interface only. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the root user. . Was ZDI-CAN-19664.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | archer_ax21_firmware | 1.1.1 |
TP-Link TL-WPA8630P (US)_ V2_ Version 171011 was discovered to contain a command injection vulnerability via the devicePwd parameter in the function sub_ 40A80C.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wpa8630p_firmware | 171011 |
TP-Link TL-WPA8630P (US)_ V2_ Version 171011 was discovered to contain a command injection vulnerability via the key parameter in the function sub_ 40A774.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wpa8630p_firmware | 171011 |
TP-Link L2 switch T2600G-28SQ firmware versions prior to 'T2600G-28SQ(UN)_V1_1.0.6 Build 20230227' uses vulnerable SSH host keys. A fake device may be prepared to spoof the affected device with the vulnerable host key.If the administrator may be tricked to login to the fake device, the credential information for the affected device may be obtained.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | t2600g-28sq_firmware | 20200304 |
| tp-link | t2600g-28sq_firmware | 20190530 |
TP-Link EC-70 devices through 2.3.4 Build 20220902 rel.69498 have a Buffer Overflow.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | ec70_firmware | * |
TP-Link TL-WPA7510 (EU)_V2_190125 was discovered to contain a stack overflow via the operation parameter at /admin/locale.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wpa7510_firmware | 190125 |
TP-LINK Archer C50v2 Archer C50(US)_V2_160801, TP-LINK Archer C20v1 Archer_C20_V1_150707, and TP-LINK Archer C2v1 Archer_C2_US__V1_170228 were discovered to contain a buffer overflow which may lead to a Denial of Service (DoS) when parsing crafted data.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | archer_c20_firmware | 150707 |
| tp-link | archer_c2_v1_firmware | 170228 |
| tp-link | archer_c50_firmware | 160801 |
Multiple TP-LINK products allow a network-adjacent authenticated attacker to execute arbitrary OS commands. Affected products/versions are as follows: Archer C50 firmware versions prior to 'Archer C50(JP)_V3_230505', Archer C55 firmware versions prior to 'Archer C55(JP)_V1_230506', and Archer C20 firmware versions prior to 'Archer C20(JP)_V1_230616'.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 8.0 | HIGH | CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 2.1 | 5.9 |
| nvd@nist.gov | 8.0 | HIGH | CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 2.1 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | archer_c55_firmware | * |
| tp-link | archer_c50_v3_firmware | * |
TP-Link TL-WPA4530 KIT V2 (EU)_170406 and V2 (EU)_161115 is vulnerable to Command Injection via _httpRpmPlcDeviceAdd.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wpa4530_kit_firmware | 161115 |
| tp-link | tl-wpa4530_kit_firmware | 170406 |
TP-Link TL-WPA4530 KIT V2 (EU)_170406 and V2 (EU)_161115 is vulnerable to Command Injection via _httpRpmPlcDeviceRemove.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wpa4530_kit_firmware | 161115 |
| tp-link | tl-wpa4530_kit_firmware | 170406 |
TP-Link Archer AX21(US)_V3_1.1.4 Build 20230219 and AX21(US)_V3.6_1.1.4 Build 20230219 are vulnerable to Buffer Overflow.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | archer_ax21_firmware | 3_1.1.4 |
| tp-link | archer_ax21_firmware | 3.6_1.1.4 |
A command injection vulnerability exists in the administrative web portal in TP-Link Archer VR1600V devices running firmware Versions <= 0.1.0. 0.9.1 v5006.0 Build 220518 Rel.32480n which allows remote attackers, authenticated to the administrative web portal as an administrator user to open an operating system level shell via the 'X_TP_IfName' parameter.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | archer_vr1600v_firmware | * |
Archer C50 firmware versions prior to 'Archer C50(JP)_V3_230505' and Archer C55 firmware versions prior to 'Archer C55(JP)_V1_230506' use hard-coded credentials to login to the affected device, which may allow a network-adjacent unauthenticated attacker to execute an arbitrary OS command.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 8.8 | HIGH | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | archer_c55_firmware | * |
| tp-link | archer_c50_v3_firmware | * |
TP-Link TL-WR940N V2/V4, TL-WR841N V8/V10, and TL-WR740N V1/V2 was discovered to contain a buffer overflow via the component /userRpm/WlanMacFilterRpm.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr740n_firmware | - |
| tp-link | tl-wr841n_firmware | - |
| tp-link | tl-wr940n_firmware | - |
TP-Link TL-WR940N V2/V4, TL-WR841N V8/V10, and TL-WR740N V1/V2 was discovered to contain a buffer overflow via the component /userRpm/FixMapCfgRpm.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr740n_firmware | - |
| tp-link | tl-wr841n_firmware | - |
| tp-link | tl-wr940n_firmware | - |
TP-Link TL-WR940N V2/V4, TL-WR841N V8/V10, and TL-WR740N V1/V2 was discovered to contain a command injection vulnerability via the component /userRpm/WlanNetworkRpm .
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr740n_firmware | - |
| tp-link | tl-wr841n_firmware | - |
| tp-link | tl-wr940n_firmware | - |
Incorrect access control in TP-Link Tapo before v3.1.315 allows attackers to access user credentials in plaintext.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.5 | MEDIUM | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | 2.8 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tapo | * |
TP-Link Archer AX10(EU)_V1.2_230220 was discovered to contain a buffer overflow via the function FUN_131e8 - 0x132B4.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | archer_ax10_firmware | 230220 |
TP-Link Tapo C210 Password Recovery Authentication Bypass Vulnerability. This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of TP-Link Tapo C210 IP cameras. Authentication is not required to exploit this vulnerability. The specific flaw exists within the password recovery mechanism. The issue results from reliance upon the secrecy of the password derivation algorithm when generating a recovery password. An attacker can leverage this vulnerability to bypass authentication on the system. . Was ZDI-CAN-20484.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tapo_c210_firmware | 1.3.0 |
TP-Link TL-WR940N V4, TL-WR841N V8/V10, TL-WR740N V1/V2, TL-WR940N V2/V3, and TL-WR941ND V5/V6 were discovered to contain a buffer overflow in the component /userRpm/AccessCtrlTimeSchedRpm. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted GET request.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr740n_firmware | - |
| tp-link | tl-wr941nd_firmware | - |
| tp-link | tl-wr841n_firmware | - |
| tp-link | tl-wr940n_firmware | - |
TP-Link TL-WR940N V4 was discovered to contain a buffer overflow via the ipStart parameter at /userRpm/WanDynamicIpV6CfgRpm. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted GET request.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr940n_firmware | - |
TP-Link TL-WR940N V2/V4/V6, TL-WR841N V8, TL-WR941ND V5, and TL-WR740N V1/V2 were discovered to contain a buffer read out-of-bounds via the component /userRpm/VirtualServerRpm. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted GET request.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr740n_firmware | - |
| tp-link | tl-wr941nd_firmware | - |
| tp-link | tl-wr841n_firmware | - |
| tp-link | tl-wr940n_firmware | - |
An issue in the /userRpm/LocalManageControlRpm component of TP-Link TL-WR940N V2/V4/V6, TL-WR841N V8/V10, and TL-WR941ND V5 allows attackers to cause a Denial of Service (DoS) via a crafted GET request.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr941nd_firmware | - |
| tp-link | tl-wr841n_firmware | - |
| tp-link | tl-wr940n_firmware | - |
TP-Link TL-WR940N V2/V3/V4, TL-WR941ND V5/V6, TL-WR743ND V1 and TL-WR841N V8 were discovered to contain a buffer overflow in the component /userRpm/AccessCtrlAccessTargetsRpm. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted GET request.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr743nd_firmware | - |
| tp-link | tl-wr941nd_firmware | - |
| tp-link | tl-wr841n_firmware | - |
| tp-link | tl-wr940n_firmware | - |
TP-Link TL-WR940N V4, TL-WR841N V8/V10, TL-WR940N V2/V3 and TL-WR941ND V5/V6 were discovered to contain a buffer overflow in the component /userRpm/QoSRuleListRpm. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted GET request.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr941nd_firmware | - |
| tp-link | tl-wr841n_firmware | - |
| tp-link | tl-wr940n_firmware | - |
Multiple TP-LINK products allow a network-adjacent unauthenticated attacker to execute arbitrary OS commands. Affected products/versions are as follows: TL-WR802N firmware versions prior to 'TL-WR802N(JP)_V4_221008', TL-WR841N firmware versions prior to 'TL-WR841N(JP)_V14_230506', and TL-WR902AC firmware versions prior to 'TL-WR902AC(JP)_V3_230506'.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr841n_firmware | * |
| tp-link | tl-wr902ac_firmware | * |
| tp-link | tl-wr802n_firmware | * |
A post-authentication command injection vulnerability exists in the PPTP client functionality of Tp-Link ER7206 Omada Gigabit VPN Router 1.3.0 build 20230322 Rel.70591. A specially crafted HTTP request can lead to arbitrary command injection. An attacker can make an authenticated HTTP request to trigger this vulnerability and gain access to an unrestricted shell.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| talos-cna@cisco.com | 7.2 | HIGH | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H | 1.2 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | er7206_firmware | 1.3.0 |
Improper authentication vulnerability in Archer C20 firmware versions prior to 'Archer C20(JP)_V1_230616' allows a network-adjacent unauthenticated attacker to execute an arbitrary OS command via a crafted request to bypass authentication.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | archer_c20_firmware | * |
Archer C1200 firmware versions prior to 'Archer C1200(JP)_V2_230508' and Archer C9 firmware versions prior to 'Archer C9(JP)_V3_230508' allow a network-adjacent unauthenticated attacker to execute arbitrary OS commands.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | archer_c1200_firmware | * |
| tp-link | archer_c9_firmware | * |
Archer A10 firmware versions prior to 'Archer A10(JP)_V2_230504' allows a network-adjacent unauthenticated attacker to execute arbitrary OS commands.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | archer_a10_firmware | * |
Archer C3150 firmware versions prior to 'Archer C3150(JP)_V2_230511' allows a network-adjacent authenticated attacker to execute arbitrary OS commands.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 8.0 | HIGH | CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 2.1 | 5.9 |
| nvd@nist.gov | 8.0 | HIGH | CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 2.1 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | archer_c3150_firmware | * |
An issue in TPLink Smart Bulb Tapo series L530 1.1.9, L510E 1.0.8, L630 1.0.3, P100 1.4.9, Smart Camera Tapo series C200 1.1.18, and Tapo Application 2.8.14 allows a remote attacker to obtain sensitive information via the authentication code for the UDP message.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.5 | MEDIUM | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | 2.8 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tapo_l530e_firmware | 1.0.0 |
| tp-link | tapo | 2.8.14 |
An issue in TPLink Smart Bulb Tapo series L530 before 1.2.4, L510E before 1.1.0, L630 before 1.0.4, P100 before 1.5.0, and Tapo Application 2.8.14 allows a remote attacker to replay old messages encrypted with a still valid session key.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | 3.9 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tapo_l530e_firmware | 1.0.0 |
| tp-link | tapo | 2.8.14 |
An issue in TPLink Smart Bulb Tapo series L530 before 1.2.4, L510E before 1.1.0, L630 before 1.0.4, P100 before 1.5.0, and Tapo Application 2.8.14 allows a remote attacker to obtain sensitive information via the TSKEP authentication function.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.5 | MEDIUM | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | 2.8 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tapo_l530e_firmware | 1.0.0 |
| tp-link | tapo | 2.8.14 |
An issue in TPLink Smart Bulb Tapo series L530 before 1.2.4, L510E before 1.1.0, L630 before 1.0.4, P100 before 1.5.0, and Tapo Application 2.8.14 allows a remote attacker to obtain sensitive information via the IV component in the AES128-CBC function.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.5 | MEDIUM | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | 2.8 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tapo_l530e_firmware | 1.0.0 |
| tp-link | tapo | 2.8.14 |
Archer C5 firmware all versions and Archer C7 firmware versions prior to 'Archer C7(JP)_V2_230602' allow a network-adjacent authenticated attacker to execute arbitrary OS commands. Note that Archer C5 is no longer supported, therefore the update for this product is not provided.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.0 | HIGH | CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 2.1 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | archer_c7_firmware | * |
TP-Link TL-WR841N ated_tp Command Injection Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of TP-Link TL-WR841N routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the ated_tp service. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-21825.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr840n_firmware | * |
| tp-link | tl-wr841n_firmware | * |
An issue in TP-Link Tapo C100 v1.1.15 Build 211130 Rel.15378n(4555) and before allows attackers to cause a Denial of Service (DoS) via supplying a crafted web request.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.5 | MEDIUM | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 2.8 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tapo_c100_firmware | * |
TP-Link TL-WR940N V2, TP-Link TL-WR941ND V5 and TP-Link TL-WR841N V8 were discovered to contain a buffer overflow via the component /userRpm/AccessCtrlAccessRulesRpm. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted GET request.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr841n_v8_firmware | - |
| tp-link | tl-wr941nd_v5_firmware | - |
| tp-link | tl-wr940n_v2_firmware | - |
TP-Link WR841N V8, TP-Link TL-WR940N V2, and TL-WR941ND V5 were discovered to contain a buffer overflow via the radiusSecret parameter at /userRpm/WlanSecurityRpm.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr841n_v8_firmware | - |
| tp-link | tl-wr941nd_v5_firmware | - |
| tp-link | tl-wr940n_v2_firmware | - |
An issue in the component /userRpm/NetworkCfgRpm of TP-Link TL-WR1041N V2 allows attackers to cause a Denial of Service (DoS) via a crafted GET request.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr1041n_v2_firmware | - |
TP-Link TL-WR941ND V6 were discovered to contain a buffer overflow via the pSize parameter at /userRpm/PingIframeRpm.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr941nd_v6_firmware | - |
Archer C5400 firmware versions prior to 'Archer C5400(JP)_V2_230506' allows a network-adjacent authenticated attacker to execute arbitrary OS commands.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.0 | HIGH | CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 2.1 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | archer_c5400_firmware | * |
Deco M4 firmware versions prior to 'Deco M4(JP)_V2_1.5.8 Build 20230619' allows a network-adjacent authenticated attacker to execute arbitrary OS commands.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.0 | HIGH | CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 2.1 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | deco_m4_firmware | * |
Multiple TP-LINK products allow a network-adjacent authenticated attacker to execute arbitrary OS commands. Affected products/versions are as follows: Archer AX50 firmware versions prior to 'Archer AX50(JP)_V1_230529', Archer A10 firmware versions prior to 'Archer A10(JP)_V2_230504', Archer AX10 firmware versions prior to 'Archer AX10(JP)_V1.2_230508', and Archer AX11000 firmware versions prior to 'Archer AX11000(JP)_V1_230523'.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 8.0 | HIGH | CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 2.1 | 5.9 |
| nvd@nist.gov | 8.0 | HIGH | CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 2.1 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | archer_a10_firmware | * |
| tp-link | archer_ax11000_firmware | * |
| tp-link | archer_ax10_firmware | * |
| tp-link | archer_ax50_firmware | * |
Archer AX6000 firmware versions prior to 'Archer AX6000(JP)_V1_1.3.0 Build 20221208' allows a network-adjacent authenticated attacker to execute arbitrary OS commands.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.0 | HIGH | CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 2.1 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | archer_ax6000_firmware | * |
TP-Link Tapo C210 ActiveCells Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of TP-Link Tapo C210 IP cameras. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the handling of the ActiveCells parameter of the CreateRules and ModifyRules APIs. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. . Was ZDI-CAN-20589.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tapo_c210_firmware | 1.3.0 |
Insecure Permissions vulnerability in Connectivity Standards Alliance Matter Official SDK v.1.1.0.0 , Nanoleaf Light strip v.3.5.10, Govee LED Strip v.3.00.42, switchBot Hub2 v.1.0-0.8, Phillips hue hub v.1.59.1959097030, and yeelight smart lamp v.1.12.69 allows a remote attacker to cause a denial of service via a crafted script to the KeySetRemove function.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| yeelight | smart_lamp_firmware | 1.12.69 |
| orein | smart_bulb_firmware | - |
| tp-link | smart_plug_firmware | - |
| phillips | hue_bridge_firmware | 1.59.1959097030 |
| tapo | mini_smart_wi-fi_plug_firmware | - |
| nanoleaf | lightstrip_firmware | 3.5.10 |
| eve | eve_door_and_window_firmware | - |
| govee | led_strip_firmware | 3.00.42 |
| switchbot | hub2_firmware | 1.0-0.8 |
A post authentication command injection vulnerability exists when setting up the PPTP global configuration of Tp-Link ER7206 Omada Gigabit VPN Router 1.3.0 build 20230322 Rel.70591. A specially crafted HTTP request can lead to arbitrary command injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| talos-cna@cisco.com | 7.2 | HIGH | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H | 1.2 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | er7206_firmware | 1.3.0 |
There is an unauthorized access vulnerability in TP-LINK ER5120G 4.0 2.0.0 Build 210817 Rel.80868n, which allows attackers to obtain sensitive information of the device without authentication, obtain user tokens, and ultimately log in to the device backend management.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-er5120g_firmware | 2.0.0 |
TPLINK TL-ER5120G 4.0 2.0.0 Build 210817 Rel.80868n has a command injection vulnerability, when an attacker adds ACL rules after authentication, and the rule name parameter has injection points.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-er5120g_firmware | 2.0.0 |
TPLINK TL-ER5120G 4.0 2.0.0 Build 210817 Rel.80868n has a command injection vulnerability, when an attacker adds NAPT rules after authentication, and the rule name has an injection point.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-er5120g_firmware | 2.0.0 |
TP-Link JetStream Smart Switch TL-SG2210P 5.0 Build 20211201 allows attackers to escalate privileges via modification of the 'tid' and 'usrlvl' values in GET requests.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-sg2210p_firmware | 5.0 |
A command execution vulnerability exists in the guest resource functionality of Tp-Link ER7206 Omada Gigabit VPN Router 1.3.0 build 20230322 Rel.70591. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| talos-cna@cisco.com | 7.2 | HIGH | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H | 1.2 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | er7206_firmware | 1.3.0 |
TP-Link TL-WR902AC loginFs Improper Authentication Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of TP-Link TL-WR902AC routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the httpd service, which listens on TCP port 80 by default. The issue results from improper authentication. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-21529.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr902ac_firmware | 231025 |
| tp-link | tl-wr902ac_firmware | 231027 |
TP-Link Archer A54 libcmm.so dm_fillObjByStr Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of TP-Link Archer A54 routers. Authentication is required to exploit this vulnerability. The specific flaw exists within the file libcmm.so. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-22262.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | archer_a54_firmware | 0.9.1_0.4_v0001.0 |
TP-Link device TL-WDR7660 2.0.30 and TL-WR886N 2.0.12 has a stack overflow vulnerability via the function upgradeInfoJsonToBin.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wdr7660_firmware | 2.0.30 |
TP-Link TL-WDR7660 2.0.30 has a stack overflow vulnerability via the function deviceInfoJsonToBincauses.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wdr7660_firmware | 2.0.30 |
TP-LINK TL-WR886N V7.0_3.0.14_Build_221115_Rel.56908n.bin was discovered to contain a stack overflow via the function uninstallPluginReqHandle.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 8.8 | HIGH | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr886n_firmware | 3.0.14 |
TP-LINK TL-WR886N V7.0_3.0.14_Build_221115_Rel.56908n.bin was discovered to contain a stack overflow via the function RegisterRegister.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 8.8 | HIGH | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr886n_firmware | 3.0.14 |
TP-LINK device TL-WR886N V7.0_3.0.14_Build_221115_Rel.56908n.bin and TL-WDR7660 2.0.30 were discovered to contain a stack overflow via the function deviceInfoRegister.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 8.8 | HIGH | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr886n_firmware | 3.0.14 |
TP-LINK TL-WR886N V7.0_3.0.14_Build_221115_Rel.56908n.bin was discovered to contain a stack overflow via the function upgradeInfoRegister.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 8.8 | HIGH | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr886n_firmware | 3.0.14 |
TP-LINK TL-WR886N V7.0_3.0.14_Build_221115_Rel.56908n.bin was discovered to contain a stack overflow via the function loginRegister.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 8.8 | HIGH | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr886n_firmware | 3.0.14 |
TP-LINK TL-WR886N V7.0_3.0.14_Build_221115_Rel.56908n.bin was discovered to contain a stack overflow via the function resetCloudPwdRegister.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 8.8 | HIGH | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr886n_firmware | 3.0.14 |
TP-LINK TL-WR886N V7.0_3.0.14_Build_221115_Rel.56908n.bin and TL-WDR7660 2.0.30 was discovered to contain a stack overflow via the function bindRequestHandle.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 8.8 | HIGH | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr886n_firmware | 3.0.14 |
TP-LINK TL-WR886N V7.0_3.0.14_Build_221115_Rel.56908n.bin was discovered to contain a stack overflow via the function modifyAccPwdRegister.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 8.8 | HIGH | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr886n_firmware | 3.0.14 |
TP-LINK TL-WR886N V7.0_3.0.14_Build_221115_Rel.56908n.bin was discovered to contain a stack overflow via the function getResetVeriRegister.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 8.8 | HIGH | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr886n_firmware | 3.0.14 |
TP-LINK TL-WR886N V7.0_3.0.14_Build_221115_Rel.56908n.bin was discovered to contain a stack overflow via the function chkRegVeriRegister.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 8.8 | HIGH | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr886n_firmware | 3.0.14 |
TP-LINK TL-WR886N V7.0_3.0.14_Build_221115_Rel.56908n.bin was discovered to contain a stack overflow via the function getRegVeriRegister.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 8.8 | HIGH | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr886n_firmware | 3.0.14 |
TP-LINK TL-WR886N V7.0_3.0.14_Build_221115_Rel.56908n.bin was discovered to contain a stack overflow via the function chkResetVeriRegister.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 8.8 | HIGH | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr886n_firmware | 3.0.14 |
TP-LINK TL-WR886N V7.0_3.0.14_Build_221115_Rel.56908n.bin was discovered to contain a stack overflow via the function registerRequestHandle.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 8.8 | HIGH | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr886n_firmware | 3.0.14 |
A post authentication command injection vulnerability exists when configuring the wireguard VPN functionality of Tp-Link ER7206 Omada Gigabit VPN Router 1.3.0 build 20230322 Rel.70591. A specially crafted HTTP request can lead to arbitrary command injection . An attacker can make an authenticated HTTP request to trigger this vulnerability.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| talos-cna@cisco.com | 7.2 | HIGH | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H | 1.2 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | er7206_firmware | 1.3.0 |
A post authentication command injection vulnerability exists in the GRE policy functionality of Tp-Link ER7206 Omada Gigabit VPN Router 1.3.0 build 20230322 Rel.70591. A specially crafted HTTP request can lead to arbitrary command injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| talos-cna@cisco.com | 7.2 | HIGH | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H | 1.2 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | er7206_firmware | 1.3.0 |
A post authentication command injection vulnerability exists in the ipsec policy functionality of Tp-Link ER7206 Omada Gigabit VPN Router 1.3.0 build 20230322 Rel.70591. A specially crafted HTTP request can lead to arbitrary command injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| talos-cna@cisco.com | 7.2 | HIGH | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H | 1.2 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | er7206_firmware | 1.3.0 |
A post authentication command injection vulnerability exists when configuring the web group member of Tp-Link ER7206 Omada Gigabit VPN Router 1.3.0 build 20230322 Rel.70591. A specially crafted HTTP request can lead to arbitrary command injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| talos-cna@cisco.com | 7.2 | HIGH | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H | 1.2 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | er7206_firmware | 1.3.0 |
A post authentication command execution vulnerability exists in the web filtering functionality of Tp-Link ER7206 Omada Gigabit VPN Router 1.3.0 build 20230322 Rel.70591. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| talos-cna@cisco.com | 7.2 | HIGH | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H | 1.2 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | er7206_firmware | 1.3.0 |
A memory corruption vulnerability exists in the web interface functionality of Tp-Link AC1350 Wireless MU-MIMO Gigabit Access Point (EAP225 V3) v5.1.0 Build 20220926. A specially crafted HTTP POST request can lead to denial of service of the device's web interface. An attacker can send an unauthenticated HTTP POST request to trigger this vulnerability.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| talos-cna@cisco.com | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | eap225_firmware | 5.1.0 |
A denial of service vulnerability exists in the TDDP functionality of Tp-Link AC1350 Wireless MU-MIMO Gigabit Access Point (EAP225 V3) v5.1.0 Build 20220926. A specially crafted series of network requests can lead to reset to factory settings. An attacker can send a sequence of unauthenticated packets to trigger this vulnerability.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| talos-cna@cisco.com | 7.4 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H | 2.2 | 5.2 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | eap225_firmware | 5.1.0 |
A command execution vulnerability exists in the tddpd enable_test_mode functionality of Tp-Link AC1350 Wireless MU-MIMO Gigabit Access Point (EAP225 V3) v5.1.0 Build 20220926 and Tp-Link N300 Wireless Access Point (EAP115 V4) v5.0.4 Build 20220216. A specially crafted series of network requests can lead to arbitrary command execution. An attacker can send a sequence of unauthenticated packets to trigger this vulnerability.This vulnerability impacts `uclited` on the EAP225(V3) 5.1.0 Build 20220926 of the AC1350 Wireless MU-MIMO Gigabit Access Point.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| talos-cna@cisco.com | 8.1 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H | 2.2 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | eap225_firmware | 5.1.0 |
| tp-link | eap115_firmware | 5.0.4 |
A command execution vulnerability exists in the tddpd enable_test_mode functionality of Tp-Link AC1350 Wireless MU-MIMO Gigabit Access Point (EAP225 V3) v5.1.0 Build 20220926 and Tp-Link N300 Wireless Access Point (EAP115 V4) v5.0.4 Build 20220216. A specially crafted series of network requests can lead to arbitrary command execution. An attacker can send a sequence of unauthenticated packets to trigger this vulnerability.This vulnerability impacts `uclited` on the EAP115(V4) 5.0.4 Build 20220216 of the N300 Wireless Gigabit Access Point.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| talos-cna@cisco.com | 8.1 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H | 2.2 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | eap225_firmware | 5.1.0 |
| tp-link | eap115_firmware | 5.0.4 |
Insecure Permissiosn vulnerability in TP Link TC70 and C200 WIFI Camera v.3 firmware v.1.3.4 and fixed in v.1.3.11 allows a physically proximate attacker to obtain sensitive information via a connection to the UART pin components.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 4.6 | MEDIUM | CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | 0.9 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tapo_c200_firmware | 1.3.9 |
| tp-link | tapo_c200_firmware | 1.1.22 |
| tp-link | tapo_tc70_firmware | 1.3.9 |
| tp-link | tapo_tc70_firmware | 1.1.22 |
| tp-link | tapo_c200_firmware | 1.3.4 |
| tp-link | tapo_tc70_firmware | 1.3.4 |
A stack-based buffer overflow vulnerability exists in the web interface Radio Scheduling functionality of Tp-Link AC1350 Wireless MU-MIMO Gigabit Access Point (EAP225 V3) v5.1.0 Build 20220926. A specially crafted series of HTTP requests can lead to remote code execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.This vulnerability refers specifically to the overflow that occurs via the `ssid` parameter at offset `0x0045ab7c` of the `httpd_portal` binary shipped with v5.1.0 Build 20220926 of the EAP225.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| talos-cna@cisco.com | 7.2 | HIGH | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H | 1.2 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | eap225_firmware | 5.1.0 |
A stack-based buffer overflow vulnerability exists in the web interface Radio Scheduling functionality of Tp-Link AC1350 Wireless MU-MIMO Gigabit Access Point (EAP225 V3) v5.1.0 Build 20220926. A specially crafted series of HTTP requests can lead to remote code execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.This vulnerability refers specifically to the overflow that occurs via the `band` parameter at offset `0x0045aad8` of the `httpd_portal` binary shipped with v5.1.0 Build 20220926 of the EAP225.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| talos-cna@cisco.com | 7.2 | HIGH | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H | 1.2 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | eap225_firmware | 5.1.0 |
| tp-link | eap115_firmware | 5.0.4 |
A stack-based buffer overflow vulnerability exists in the web interface Radio Scheduling functionality of Tp-Link AC1350 Wireless MU-MIMO Gigabit Access Point (EAP225 V3) v5.1.0 Build 20220926. A specially crafted series of HTTP requests can lead to remote code execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.This vulnerability refers specifically to the overflow that occurs via the `profile` parameter at offset `0x0045abc8` of the `httpd_portal` binary shipped with v5.1.0 Build 20220926 of the EAP225.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| talos-cna@cisco.com | 7.2 | HIGH | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H | 1.2 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | eap225_firmware | 5.1.0 |
A stack-based buffer overflow vulnerability exists in the web interface Radio Scheduling functionality of Tp-Link AC1350 Wireless MU-MIMO Gigabit Access Point (EAP225 V3) v5.1.0 Build 20220926. A specially crafted series of HTTP requests can lead to remote code execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.This vulnerability refers specifically to the overflow that occurs via the `action` parameter at offset `0x0045ab38` of the `httpd_portal` binary shipped with v5.1.0 Build 20220926 of the EAP225.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| talos-cna@cisco.com | 7.2 | HIGH | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H | 1.2 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | eap225_firmware | 5.1.0 |
A stack-based buffer overflow vulnerability exists in the web interface Radio Scheduling functionality of Tp-Link AC1350 Wireless MU-MIMO Gigabit Access Point (EAP225 V3) v5.1.0 Build 20220926. A specially crafted series of HTTP requests can lead to remote code execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.This vulnerability refers specifically to the overflow that occurs via the `ssid` parameter at offset `0x42247c` of the `httpd` binary shipped with v5.0.4 Build 20220216 of the EAP115.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| talos-cna@cisco.com | 7.2 | HIGH | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H | 1.2 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | eap225_firmware | 5.1.0 |
| tp-link | eap115_firmware | 5.0.4 |
A stack-based buffer overflow vulnerability exists in the web interface Radio Scheduling functionality of Tp-Link AC1350 Wireless MU-MIMO Gigabit Access Point (EAP225 V3) v5.1.0 Build 20220926. A specially crafted series of HTTP requests can lead to remote code execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.This vulnerability refers specifically to the overflow that occurs via the `band` parameter at offset `0x422420` of the `httpd` binary shipped with v5.0.4 Build 20220216 of the EAP115.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| talos-cna@cisco.com | 7.2 | HIGH | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H | 1.2 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | eap225_firmware | 5.1.0 |
| tp-link | eap115_firmware | 5.0.4 |
A stack-based buffer overflow vulnerability exists in the web interface Radio Scheduling functionality of Tp-Link AC1350 Wireless MU-MIMO Gigabit Access Point (EAP225 V3) v5.1.0 Build 20220926. A specially crafted series of HTTP requests can lead to remote code execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.This vulnerability refers specifically to the overflow that occurs via the `profile` parameter at offset `0x4224b0` of the `httpd` binary shipped with v5.0.4 Build 20220216 of the EAP115.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| talos-cna@cisco.com | 7.2 | HIGH | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H | 1.2 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | eap225_firmware | 5.1.0 |
| tp-link | eap115_firmware | 5.0.4 |
A stack-based buffer overflow vulnerability exists in the web interface Radio Scheduling functionality of Tp-Link AC1350 Wireless MU-MIMO Gigabit Access Point (EAP225 V3) v5.1.0 Build 20220926. A specially crafted series of HTTP requests can lead to remote code execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.This vulnerability refers specifically to the overflow that occurs via the `action` parameter at offset `0x422448` of the `httpd` binary shipped with v5.0.4 Build 20220216 of the EAP115.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| talos-cna@cisco.com | 7.2 | HIGH | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H | 1.2 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | eap225_firmware | 5.1.0 |
| tp-link | eap115_firmware | 5.0.4 |
TP-Link TL-WR841N dropbearpwd Improper Authentication Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of TP-Link TL-WR841N routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the httpd service, which listens on TCP port 80 by default. The issue results from improper authentication. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. . Was ZDI-CAN-19899.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr841n_firmware | 3.16.9 |
TP-Link TL-WR902AC dm_fillObjByStr Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of TP-Link TL-WR902AC routers. Authentication is required to exploit this vulnerability. The specific flaw exists within the libcmm.so module. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. . Was ZDI-CAN-21819.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr902ac_firmware | 0.9.1_0.3_v008a.0 |
This vulnerability exists in TP-Link IoT Smart Hub due to storage of Wi-Fi credentials in plain text within the device firmware. An attacker with physical access could exploit this by extracting the firmware and analyzing the binary data to obtain the Wi-Fi credentials stored on the vulnerable device.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tapo_h100_firmware | * |
A vulnerability, which was classified as critical, has been found in TP-Link VN020 F3v(T) TT_V6.2.1021. Affected by this issue is some unknown functionality of the component DHCP DISCOVER Packet Parser. The manipulation of the argument hostname leads to stack-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| cna@vuldb.com | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-787,CWE-119,CWE-121,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | vn020-f3v(t)_firmware | tt_v6.2.1021 |
TP-Link Omada ER605 DHCPv6 Client Options Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of TP-Link Omada ER605 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of DHCP options. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-22420.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | omada_er605_firmware | * |
TP-Link Omada ER605 Access Control Command Injection Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of TP-Link Omada ER605. Authentication is required to exploit this vulnerability. The specific issue exists within the handling of the name field in the access control user interface. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-22227.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | omada_er605_firmware | * |
A vulnerability classified as critical has been found in TP-Link VN020 F3v(T) TT_V6.2.1021. Affected is an unknown function of the file /control/WANIPConnection of the component SOAP Request Handler. The manipulation of the argument NewConnectionType leads to buffer overflow. The attack needs to be done within the local network. The exploit has been disclosed to the public and may be used.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
| cna@vuldb.com | 6.5 | MEDIUM | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 2.8 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-119,CWE-120,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | vn020_f3v_firmware | 6.2.1021 |
A vulnerability, which was classified as critical, was found in TP-Link VN020 F3v(T) TT_V6.2.1021. This affects an unknown part of the component FTP USER Command Handler. The manipulation leads to memory corruption. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
| cna@vuldb.com | 6.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L | 2.8 | 3.4 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-119,CWE-787,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | vn020_f3v_firmware | 6.2.1021 |
Multiple TP-LINK products allow a network-adjacent unauthenticated attacker with access to the product from the LAN port or Wi-Fi to execute arbitrary OS commands on the product that has pre-specified target devices and blocked URLs in parental control settings.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | deco_xe200_firmware | * |
| tp-link | archer_ax3000_firmware | * |
| tp-link | archer_ax5400_firmware | * |
| tp-link | deco_x50_firmware | * |
Multiple TP-LINK products allow a network-adjacent authenticated attacker with access to the product from the LAN port or Wi-Fi to execute arbitrary OS commands.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.0 | HIGH | CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 2.1 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | archer_ax3000_firmware | * |
| tp-link | archer_ax5400_firmware | * |
| tp-link | archer_axe75_firmware | * |
A leftover debug code vulnerability exists in the cli_server debug functionality of Tp-Link ER7206 Omada Gigabit VPN Router 1.4.1 Build 20240117 Rel.57421. A specially crafted series of network requests can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger this vulnerability.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| talos-cna@cisco.com | 7.2 | HIGH | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H | 1.2 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | er7206_firmware | 1.4.1 |
Multiple TP-LINK products allow a network-adjacent unauthenticated attacker with access to the product to execute arbitrary OS commands. The affected device, with the initial configuration, allows login only from the LAN port or Wi-Fi.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | deco_xe200_firmware | * |
| tp-link | archer_ax3000_firmware | * |
| tp-link | archer_ax5400_firmware | * |
| tp-link | archer_axe75_firmware | * |
| tp-link | deco_x50_firmware | * |
Cross-Site Scripting (XSS) vulnerability stored in TP-Link Archer AX50 affecting firmware version 1.0.11 build 2022052. This vulnerability could allow an unauthenticated attacker to create a port mapping rule via a SOAP request and store a malicious JavaScript payload within that rule, which could result in an execution of the JavaScript payload when the rule is loaded.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| cve-coordination@incibe.es | 6.1 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L | 1.8 | 3.7 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | archer_ax50_firmware | 1.0.11 |
TP Link MR200 V4 Firmware version 210201 was discovered to contain a null-pointer-dereference in the web administration panel on /cgi/login via the sign, Action or LoginStatus query parameters which could lead to a denial of service by a local or remote unauthenticated attacker.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | mr200_firmware | 210201 |
In TP-Link Omada er605 1.0.1 through (v2.6) 2.2.3, a cloud-brd binary is susceptible to an integer overflow that leads to a heap-based buffer overflow. After heap shaping, an attacker can achieve code execution in the context of the cloud-brd binary that runs at the root level. This is fixed in ER605(UN)_v2_2.2.4 Build 020240119.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | omada_er605_firmware | * |
TP-LINK TL-7DR5130 v1.0.23 is vulnerable to forged ICMP redirect message attacks. An attacker in the same WLAN as the victim can hijack the traffic between the victim and any remote server by sending out forged ICMP redirect messages.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-7dr5130_firmware | 1.0.23 |
TP-LINK TL-7DR5130 v1.0.23 is vulnerable to TCP DoS or hijacking attacks. An attacker in the same WLAN as the victim can disconnect or hijack the traffic between the victim and any remote server by sending out forged TCP RST messages to evict NAT mappings in the router.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-7dr5130_firmware | 1.0.23 |
In the TP-Link RE365 V1_180213, there is a buffer overflow vulnerability due to the lack of length verification for the USER_AGENT field in /usr/bin/httpd. Attackers who successfully exploit this vulnerability can cause the remote target device to crash or execute arbitrary commands.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | re365_firmware | 180213 |
TP-Link WR941ND V6 has a stack overflow vulnerability in the ssid parameter in /userRpm/popupSiteSurveyRpm.htm.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 8.0 | HIGH | CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 2.1 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | wr941nd_firmware | - |
TP-Link WR740N V6 has a stack overflow vulnerability via the ssid parameter in /userRpm/popupSiteSurveyRpm.htm url.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | wr740n_firmware | - |
TL-WR845N(UN)_V4_201214, TP-Link TL-WR845N(UN)_V4_200909, and TL-WR845N(UN)_V4_190219 was discovered to transmit user credentials in plaintext after executing a factory reset.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 8.8 | HIGH | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr845n_firmware | 190219 |
| tp-link | tl-wr845n_firmware | 200909 |
| tp-link | tl-wr845n_firmware | 201214 |
TP-Link TL-WR845N(UN)_V4_190219 was discovered to transmit credentials in base64 encoded form, which can be easily decoded by an attacker executing a man-in-the-middle attack.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 8.0 | HIGH | CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 2.1 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr845n_firmware | 190219 |
TP-LINK TL-WDR5620 v2.3 was discovered to contain a remote code execution (RCE) vulnerability via the httpProcDataSrv function.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wdr5620_firmware | 2.3 |
| tp-link | tl-wdr5620_firmware | 2.6.60 |
TP-Link TL-IPC42C V4.0_20211227_1.0.16 is vulnerable to command injection due to the lack of malicious code verification on both the frontend and backend.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-ipc42c_firmware | 20211227_1.0.16 |
| tp-link | tl-ipc42c_firmware | 4.0_20211227_1.0.16 |
In TP-Link TL-WDR7660 1.0, the wlanTimerRuleJsonToBin function handles the parameter string name without checking it, which can lead to stack overflow vulnerabilities.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wdr7660_firmware | 1.0 |
In TP-Link TL-WDR7660 1.0, the rtRuleJsonToBin function handles the parameter string name without checking it, which can lead to stack overflow vulnerabilities.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wdr7660_firmware | 1.0 |
In TP-Link TL-WDR7660 1.0, the wacWhitelistJsonToBin function handles the parameter string name without checking it, which can lead to stack overflow vulnerabilities.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wdr7660_firmware | 1.0 |
In TP-Link TL-WDR7660 v1.0, the guestRuleJsonToBin function handles the parameter string name without checking it, which can lead to stack overflow vulnerabilities.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wdr7660_firmware | 1.0 |
TP-Link TL-WR845N(UN)_V4_201214, TL-WR845N(UN)_V4_200909 and TL-WR845N(UN)_V4_190219 were discovered to contain weak default credentials for the Administrator account.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 8.0 | HIGH | CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 2.1 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr845n_firmware | 190219 |
| tp-link | tl-wr845n_firmware | 200909 |
| tp-link | tl-wr845n_firmware | 201214 |
TP-Link Omada ER605 PPTP VPN username Command Injection Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of TP-Link Omada ER605 routers. Authentication is not required to exploit this vulnerability. However, devices are only vulnerable if configured to use a PPTP VPN with LDAP authentication. The specific flaw exists within the handling of the username parameter provided to the /usr/bin/pppd endpoint. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-22446.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | omada_er605_firmware | 2.2.2 |
TP-Link Omada ER605 Comexe DDNS Response Handling Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of TP-Link Omada ER605 routers. Authentication is not required to exploit this vulnerability. However, devices are vulnerable only if configured to use the Comexe DDNS service. The specific flaw exists within the handling of DNS responses. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-22383.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | omada_er605_firmware | 2.2.2 |
TP-Link Omada ER605 Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of TP-Link Omada ER605 routers. Authentication is not required to exploit this vulnerability. However, devices are vulnerable only if configured to use the Comexe DDNS service. The specific flaw exists within the handling of DDNS error codes. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-22522.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | omada_er605_firmware | 2.2.2 |
TP-Link Omada ER605 Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of TP-Link Omada ER605 routers. Authentication is not required to exploit this vulnerability. However, devices are vulnerable only if configured to use the Comexe DDNS service. The specific flaw exists within the handling of DNS names. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-22523.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | omada_er605_firmware | 2.2.2 |
TP-Link Omada ER605 Reliance on Security Through Obscurity Vulnerability. This vulnerability allows network-adjacent attackers to access or spoof DDNS messages on affected installations of TP-Link Omada ER605 routers. Authentication is not required to exploit this vulnerability. However, devices are vulnerable only if configured to use the Comexe DDNS service. The specific flaw exists within the cmxddnsd executable. The issue results from reliance on obscurity to secure network data. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-22439.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | omada_er605_firmware | 2.2.2 |
TP-Link TL-WR940N V3 and V4 with firmware 3.16.9 and earlier contain a buffer overflow via the dnsserver1 and dnsserver2 parameters at /userRpm/Wan6to4TunnelCfgRpm.htm. This vulnerability allows an authenticated attacker to execute arbitrary code on the remote device in the context of the root user.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 8.0 | HIGH | CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 2.1 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr940n_firmware | * |
A vulnerability in the TP-Link Archer c20 router with firmware version V6.6_230412 and earlier permits unauthorized individuals to bypass the authentication of some interfaces under the /cgi directory. When adding Referer: http://tplinkwifi.net to the the request, it will be recognized as passing the authentication. NOTE: this is disputed by the Supplier because the response to the API call is only "non-sensitive UI initialization variables."
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | archer_c20_firmware | 6.6_230412 |
An issue in TPLINK TL-WPA 8630 TL-WPA8630(US)_V2_2.0.4 Build 20230427 allows a remote attacker to execute arbitrary code via function sub_4256CC, which allows command injection by injecting 'devpwd'.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 8.0 | HIGH | CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 2.1 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wpa8630_firmware | 2.0.4 |
A vulnerability was found in TP-LINK TL-WR841ND up to 20240920. It has been rated as critical. Affected by this issue is some unknown functionality of the file /userRpm/popupSiteSurveyRpm.htm. The manipulation of the argument ssid leads to stack-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| cna@vuldb.com | 6.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H | 2.8 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-121,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr841nd_firmware | - |
A vulnerability classified as problematic has been found in TP-Link TL-SG108E 1.0.0 Build 20201208 Rel. 40304. Affected is an unknown function of the file /usr_account_set.cgi of the component HTTP GET Request Handler. The manipulation of the argument username/password leads to use of get request method with sensitive query strings. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 1.0.0 Build 20250124 Rel. 54920(Beta) is able to address this issue. It is recommended to upgrade the affected component. The vendor was contacted early. They reacted very professional and provided a pre-fix version for their customers.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| cna@vuldb.com | 3.7 | LOW | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N | 2.2 | 1.4 |
CVSS 2.0
Severity: LOW
Problem Type: CWE-598,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-sg108e_firmware | 1.0.0 |
A weakness in the web interface’s application layer encryption in VX800v v1.0 allows an adjacent attacker to brute force the weak AES key and decrypt intercepted traffic. Successful exploitation requires network proximity but no authentication, and may result in high impact to confidentiality, integrity, and availability of transmitted data.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | vx800v_firmware | * |
A vulnerability in the SSH server of TP-Link TL-WR820N v2.80 allows the use of a weak cryptographic algorithm, enabling an adjacent attacker to intercept and decrypt SSH traffic. Exploitation may expose sensitive information and compromise confidentiality.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr820n_firmware | * |
The HTTPS server on Tapo C200 V3 does not properly validate the Content-Length header, which can lead to an integer overflow. An unauthenticated attacker on the same local network segment can send crafted HTTPS requests to trigger excessive memory allocation, causing the device to crash and resulting in denial-of-service (DoS).
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tapo_c200_firmware | 1.3.7 |
| tp-link | tapo_c200_firmware | 1.4.1 |
| tp-link | tapo_c200_firmware | 1.4.4 |
| tp-link | tapo_c200_firmware | 1.3.3 |
| tp-link | tapo_c200_firmware | 1.3.5 |
| tp-link | tapo_c200_firmware | 1.3.4 |
| tp-link | tapo_c200_firmware | 1.3.11 |
| tp-link | tapo_c200_firmware | 1.3.15 |
| tp-link | tapo_c200_firmware | 1.3.9 |
| tp-link | tapo_c200_firmware | 1.3.14 |
| tp-link | tapo_c200_firmware | 1.3.13 |
| tp-link | tapo_c200_firmware | 1.4.2 |
The HTTPS service on Tapo C200 V3 exposes a connectAP interface without proper authentication. An unauthenticated attacker on the same local network segment can exploit this to modify the device’s Wi-Fi configuration, resulting in loss of connectivity and denial-of-service (DoS).
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tapo_c200_firmware | 1.3.7 |
| tp-link | tapo_c200_firmware | 1.4.1 |
| tp-link | tapo_c200_firmware | 1.4.4 |
| tp-link | tapo_c200_firmware | 1.3.3 |
| tp-link | tapo_c200_firmware | 1.3.5 |
| tp-link | tapo_c200_firmware | 1.3.4 |
| tp-link | tapo_c200_firmware | 1.3.11 |
| tp-link | tapo_c200_firmware | 1.3.15 |
| tp-link | tapo_c200_firmware | 1.3.9 |
| tp-link | tapo_c200_firmware | 1.3.14 |
| tp-link | tapo_c200_firmware | 1.3.13 |
| tp-link | tapo_c200_firmware | 1.4.2 |
A NULL Pointer Dereference vulnerability in TP-Link Archer BE400 V1(802.11 modules) allows an adjacent attacker to cause a denial-of-service (DoS) by triggering a device reboot. This issue affects Archer BE400: xi 1.1.0 Build 20250710 rel.14914.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | archer_be400_firmware | * |
Command Injection vulnerability in TP-Link WA850RE (httpd modules) allows authenticated adjacent attacker to inject arbitrary commands.This issue affects: ≤ WA850RE V2_160527, ≤ WA850RE V3_160922.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wa850re_firmware | * |
Improper authentication vulnerability in TP-Link WA850RE (httpd modules) allows unauthenticated attackers to download the configuration file.This issue affects: ≤ WA850RE V2_160527, ≤ WA850RE V3_160922.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wa850re_firmware | * |
A missing authentication check in the HTTP server on TP-Link Archer NX200, NX210, NX500 and NX600 to certain cgi endpoints allows unauthenticated access intended for authenticated users. An attacker may perform privileged HTTP actions without authentication, including firmware upload and configuration operations.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | archer_nx600_firmware | * |
| tp-link | archer_nx210_firmware | * |
| tp-link | archer_nx200_firmware | * |
| tp-link | archer_nx500_firmware | * |
Improper input handling in a wireless-control administrative CLI command on TP-Link Archer NX200, NX210, NX500 and NX600 allows crafted input to be executed as part of an operating system command. An authenticated attacker with administrative privileges may execute arbitrary commands on the operating system, impacting the confidentiality, integrity, and availability of the device.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | archer_nx600_firmware | * |
| tp-link | archer_nx210_firmware | * |
| tp-link | archer_nx200_firmware | * |
| tp-link | archer_nx500_firmware | * |
Improper input handling in a modem-management administrative CLI command on TP-Link Archer NX200, NX210, NX500 and NX600 allows crafted input to be executed as part of an operating system command. An authenticated attacker with administrative privileges may execute arbitrary commands on the operating system, impacting the confidentiality, integrity, and availability of the device.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | archer_nx600_firmware | * |
| tp-link | archer_nx210_firmware | * |
| tp-link | archer_nx200_firmware | * |
| tp-link | archer_nx500_firmware | * |
Improper link resolution in the VX800v v1.0 SFTP service allows authenticated adjacent attackers to use crafted symbolic links to access system files, resulting in high confidentiality impact and limited integrity risk.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | vx800v_firmware | * |
Improper handling of exceptional conditions in VX800v v1.0 in SIP processing allows an attacker to flood the device with crafted INVITE messages, blocking all voice lines and causing a denial of service on incoming calls.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | vx800v_firmware | * |
Improper link resolution in USB HTTP access path in VX800v v1.0 allows a crafted USB device to expose root filesystem contents, giving an attacker with physical access read‑only access to system files.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | vx800v_firmware | * |
The backup restore function does not properly validate unexpected or unrecognized tags within the backup file. When such a crafted file is restored, the injected tag is interpreted by a shell, allowing execution of arbitrary commands with root privileges. Successful exploitation allows the attacker to gain root-level command execution, compromising confidentiality, integrity and availability.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | archer_re605x_firmware | * |
Some VX800v v1.0 web interface endpoints transmit sensitive information over unencrypted HTTP due to missing application layer encryption, allowing a network adjacent attacker to intercept this traffic and compromise its confidentiality.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | vx800v_firmware | * |
The response coming from TP-Link Archer MR200 v5.2, C20 v6, TL-WR850N v3, and TL-WR845N v4 for any request is getting executed by the JavaScript function like eval directly without any check. Attackers can exploit this vulnerability via a Man-in-the-Middle (MitM) attack to execute JavaScript code on the router's admin web portal without the user's permission or knowledge.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr850n_firmware | * |
| tp-link | archer_mr200_firmware | * |
| tp-link | archer_c20_firmware | * |
| tp-link | tl-wr845n_firmware | * |
An Improper Certificate Validation vulnerability in TP-Link Tapo H100 v1 and Tapo P100 v1 allows an on-path attacker on the same network segment to intercept and modify encrypted device-cloud communications. This may compromise the confidentiality and integrity of device-to-cloud communication, enabling manipulation of device data or operations.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tapo_p100_firmware | * |
| tp-link | tapo_h100_firmware | * |
A hardcoded cryptographic key within the configuration mechanism on TP-Link Archer NX200, NX210, NX500 and NX600 enables decryption and re-encryption of device configuration data. An authenticated attacker may decrypt configuration files, modify them, and re-encrypt them, affecting the confidentiality and integrity of device configuration data.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | archer_nx600_firmware | * |
| tp-link | archer_nx210_firmware | * |
| tp-link | archer_nx200_firmware | * |
| tp-link | archer_nx500_firmware | * |
A Denial-of-Service (DoS) vulnerability in the httpd component of TP-Link's TD-W8961N v4.0 due to improper input sanitization, allows crafted requests to trigger a processing error that causes the httpd service to crash. Successful exploitation may allow the attacker to cause service interruption, resulting in a DoS condition.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | td-w8961nd_firmware | * |
A command injection vulnerability on AX53 v1 occurs in mscd debug functionality due to insufficient input handling, allowing log redirection to arbitrary files and concatenation of unvalidated file content into shell commands, enabling authenticated attackers to inject and execute arbitrary commands. Successful exploitation may allow execution of malicious commands and ultimately full control of the device.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | archer_ax53_firmware | 1.0 |
This vulnerability in AX53 v1 results from insufficient input sanitization in the device’s probe handling logic, where unvalidated parameters can trigger a stack-based buffer overflow that causes the affected service to crash and, under specific conditions, may enable remote code execution through complex heap-spray techniques. Successful exploitation may result in repeated service unavailability and, in certain scenarios, allow an attacker to gain control of the device.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | archer_ax53_firmware | 1.0 |
A stored cross-site scripting (XSS) vulnerability in the upnp.htm page of the web Interface in TP-Link WR841N v14/v14.6/v14.8 <= Build 241230 Rel. 50788n allows remote attackers to inject arbitrary JavaScript code via the port mapping description. This leads to an execution of the JavaScript payload when the upnp page is loaded.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.4 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | 2.3 | 2.7 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | wr841n_firmware | * |
A buffer overflow vulnerability was discovered in TP-Link TL-WR841ND V11 via the 'gw' parameter at /userRpm/WanDynamicIpV6CfgRpm.htm. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted packet.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 3.5 | LOW | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:L | 1.8 | 1.4 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr841nd_v11_firmware | - |
A buffer overflow vulnerability was discovered in TP-Link TL-WR841ND V11 via the username and password parameters at /userRpm/PPPoEv6CfgRpm.htm. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted packet.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 4.9 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H | 1.2 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr841nd_v11_firmware | - |
A buffer overflow vulnerability was discovered in TP-Link TL-WR841ND V11, triggered by the dnsserver1 and dnsserver2 parameters at /userRpm/WanSlaacCfgRpm.htm. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted packet.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr841nd_firmware | - |
A vulnerability has been found in TP-Link TL-WR841N v11, TL-WR842ND v2 and TL-WR494N v3. The vulnerability exists in the /userRpm/WlanNetworkRpm.htm file due to missing input parameter validation, which may lead to the buffer overflow to cause a crash of the web service and result in a denial-of-service (DoS) condition. The attack may be launched remotely. This vulnerability only affects products that are no longer supported by the maintainer.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr841n_firmware | * |
A vulnerability has been found in TP-Link TL-WR841N V11. The vulnerability exists in the /userRpm/WlanNetworkRpm_AP.htm file due to missing input parameter validation, which may lead to the buffer overflow to cause a crash of the web service and result in a denial-of-service (DoS) condition. The attack may be launched remotely. This vulnerability only affects products that are no longer supported by the maintainer.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr841n_firmware | * |
A vulnerability has been found in TP-Link TL-WR841N V11. The vulnerability exists in the /userRpm/WlanNetworkRpm_APC.htm file due to missing input parameter validation, which may lead to the buffer overflow to cause a crash of the web service and result in a denial-of-service (DoS) condition. The attack may be launched remotely. This vulnerability only affects products that are no longer supported by the maintainer.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr841n_firmware | * |
A vulnerability has been found in TP-Link TL-WR841N V11. The vulnerability exists in the /userRpm/WzdWlanSiteSurveyRpm_AP.htm file due to missing input parameter validation, which may lead to the buffer overflow to cause a crash of the web service and result in a denial-of-service (DoS) condition. The attack may be launched remotely. This vulnerability only affects products that are no longer supported by the maintainer.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr841n_firmware | * |
A vulnerability has been found in TP-Link TL-WR841N V11. The vulnerability exists in the /userRpm/Wan6to4TunnelCfgRpm.htm file due to missing input parameter validation, which may lead to the buffer overflow to cause a crash of the web service and result in a denial-of-service (DoS) condition. The attack may be launched remotely. This vulnerability only affects products that are no longer supported by the maintainer.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr841n_firmware | * |
Heap-based Buffer Overflow vulnerability in TP-Link Archer AX53 v1.0 (tmpserver modules) allows authenticated adjacent attackers to cause a segmentation fault or potentially execute arbitrary code via a specially crafted set of network packets containing an excessive number of host entries This issue affects Archer AX53 v1.0: through 1.3.1 Build 20241120.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | archer_ax53_firmware | 1.0 |
Heap-based Buffer Overflow vulnerability in TP-Link Archer AX53 v1.0 (tmpserver modules) allows authenticated adjacent attackers to cause a segmentation fault or potentially execute arbitrary code via a specially crafted network packet whose length exceeds the maximum expected value.This issue affects Archer AX53 v1.0: through 1.3.1 Build 20241120.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | archer_ax53_firmware | 1.0 |
A vulnerability classified as critical has been found in TP-LINK Technologies TL-IPC544EP-W4 1.0.9 Build 240428 Rel 69493n. Affected is the function sub_69064 of the file /bin/main. The manipulation of the argument text leads to buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| cna@vuldb.com | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-119,CWE-120,CWE-120,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-ipc544ep-w4_firmware | 1.0.9 |
Heap-based Buffer Overflow vulnerability in TP-Link Archer AX53 v1.0 (tmpserver modules) allows authenticated adjacent attackers to cause a segmentation fault or potentially execute arbitrary code via a specially crafted network packet containing a field whose length exceeds the maximum expected value.This issue affects Archer AX53 v1.0: through 1.3.1 Build 20241120.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | archer_ax53_firmware | 1.0 |
Heap-based Buffer Overflow vulnerability in TP-Link Archer AX53 v1.0 (tmpserver modules) allows authenticated adjacent attackers to cause a segmentation fault or potentially execute arbitrary code. The vulnerability arises from improper validation of a packet field whose offset is used to determine the write location in memory. By crafting a packet with a manipulated field offset, an attacker can redirect writes to arbitrary memory locations.This issue affects Archer AX53 v1.0: through 1.3.1 Build 20241120.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | archer_ax53_firmware | 1.0 |
A vulnerability has been found in TP-Link TL-WR940N V4 and TL-WR841N V11. Affected by this issue is some unknown functionality of the file /userRpm/WanSlaacCfgRpm.htm, which may lead to buffer overflow. The attack may be launched remotely. This vulnerability only affects products that are no longer supported by the maintainer.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr940n_firmware | - |
Heap-based Buffer Overflow vulnerability in TP-Link Archer AX53 v1.0 (tmpserver modules) allows authenticated adjacent attackers to cause a segmentation fault or potentially execute arbitrary code via a specially crafted network packet containing an excessive number of fields with zero‑length values.This issue affects Archer AX53 v1.0: through 1.3.1 Build 20241120.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | archer_ax53_firmware | 1.0 |
Heap-based Buffer Overflow vulnerability in TP-Link Archer AX53 v1.0 (tmpserver modules) allows authenticated adjacent attackers to cause a segmentation fault or potentially execute arbitrary code via a specially crafted network packet containing an excessive number of fields with zero‑length values.This issue affects Archer AX53 v1.0: through 1.3.1 Build 20241120.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | archer_ax53_firmware | 1.0 |
Heap-based Buffer Overflow vulnerability in TP-Link Archer AX53 v1.0 (tmpserver modules) allows authenticated adjacent attackers to cause a segmentation fault or potentially execute arbitrary code via a specially crafted network packet whose length exceeds the maximum expected value.This issue affects Archer AX53 v1.0: through 1.3.1 Build 20241120.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | archer_ax53_firmware | 1.0 |
Heap-based Buffer Overflow vulnerability in TP-Link Archer AX53 v1.0 (tmpserver modules) allows authenticated adjacent attackers to cause a segmentation fault or potentially execute arbitrary code via a specially crafted network packet containing a field whose length exceeds the maximum expected value.This issue affects Archer AX53 v1.0: through 1.3.1 Build 20241120.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | archer_ax53_firmware | 1.0 |
SSH Hostkey misconfiguration vulnerability in TP-Link Archer AX53 v1.0 (tmpserver modules) allows attackers to obtain device credentials through a specially crafted man‑in‑the‑middle (MITM) attack. This could enable unauthorized access if captured credentials are reused.This issue affects Archer AX53 v1.0: through 1.3.1 Build 20241120.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | archer_ax53_firmware | 1.0 |
Heap-based Buffer Overflow vulnerability in TP-Link Archer AX53 v1.0 (tdpserver modules) allows adjacent attackers to cause a segmentation fault or potentially execute arbitrary code via a specially crafted network packet containing a maliciously formed field.This issue affects Archer AX53 v1.0: through 1.3.1 Build 20241120.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | archer_ax53_firmware | 1.0 |
An arbitrary OS command may be executed on the product by the user who can log in to the web management interface.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | g611_firmware | * |
| tp-link | er706w_firmware | 1.2.1 |
| tp-link | er7412-m2_firmware | * |
| tp-link | er605_firmware | * |
| tp-link | fr307-m2_firmware | * |
| tp-link | fr205_firmware | * |
| tp-link | fr307-m2_firmware | 1.2.5 |
| tp-link | er7412-m2_firmware | 1.1.0 |
| tp-link | er7212pc_firmware | * |
| tp-link | er707-m2_firmware | * |
| tp-link | er8411_firmware | * |
| tp-link | g36_firmware | * |
| tp-link | fr365_firmware | 1.1.10 |
| tp-link | er7212pc_firmware | 2.1.3 |
| tp-link | fr205_firmware | 1.0.3 |
| tp-link | fr365_firmware | * |
| tp-link | er707-m2_firmware | 1.3.1 |
| tp-link | g611_firmware | 1.2.2 |
| tp-link | g36_firmware | 1.1.4 |
| tp-link | er706w-4g_firmware | 1.2.1 |
| tp-link | er7206_firmware | * |
| tp-link | er7206_firmware | 2.2.2 |
| tp-link | er706w_firmware | * |
| tp-link | er706w-4g_firmware | * |
| tp-link | er605_firmware | 2.3.1 |
| tp-link | er8411_firmware | 1.3.3 |
An arbitrary OS command may be executed on the product by a remote unauthenticated attacker.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | g611_firmware | * |
| tp-link | er706w_firmware | 1.2.1 |
| tp-link | er7412-m2_firmware | * |
| tp-link | er605_firmware | * |
| tp-link | fr307-m2_firmware | * |
| tp-link | fr205_firmware | * |
| tp-link | fr307-m2_firmware | 1.2.5 |
| tp-link | er7412-m2_firmware | 1.1.0 |
| tp-link | er7212pc_firmware | * |
| tp-link | er707-m2_firmware | * |
| tp-link | er8411_firmware | * |
| tp-link | g36_firmware | * |
| tp-link | fr365_firmware | 1.1.10 |
| tp-link | er7212pc_firmware | 2.1.3 |
| tp-link | fr205_firmware | 1.0.3 |
| tp-link | fr365_firmware | * |
| tp-link | er707-m2_firmware | 1.3.1 |
| tp-link | g611_firmware | 1.2.2 |
| tp-link | g36_firmware | 1.1.4 |
| tp-link | er706w-4g_firmware | 1.2.1 |
| tp-link | er7206_firmware | * |
| tp-link | er7206_firmware | 2.2.2 |
| tp-link | er706w_firmware | * |
| tp-link | er706w-4g_firmware | * |
| tp-link | er605_firmware | 2.3.1 |
| tp-link | er8411_firmware | 1.3.3 |
A denial-of-service (DoS) vulnerability was identified in Omada EAP610 v3. An attacker with adjacent network access can send crafted requests to cause the device’s HTTP service to crash. This results in temporary service unavailability until the device is rebooted. This issue affects Omada EAP610 firmware versions prior to 1.6.0.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | omada_eap610_firmware | * |
A command injection vulnerability may be exploited after the admin's authentication on the web portal on Omada gateways.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.2 | HIGH | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H | 1.2 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | g611_firmware | * |
| tp-link | er706w_firmware | 1.2.1 |
| tp-link | er7412-m2_firmware | * |
| tp-link | er605_firmware | * |
| tp-link | fr307-m2_firmware | * |
| tp-link | fr205_firmware | * |
| tp-link | fr307-m2_firmware | 1.2.5 |
| tp-link | er7412-m2_firmware | 1.1.0 |
| tp-link | er7212pc_firmware | * |
| tp-link | er707-m2_firmware | * |
| tp-link | er8411_firmware | * |
| tp-link | g36_firmware | * |
| tp-link | fr365_firmware | 1.1.10 |
| tp-link | er7212pc_firmware | 2.1.3 |
| tp-link | fr205_firmware | 1.0.3 |
| tp-link | fr365_firmware | * |
| tp-link | er707-m2_firmware | 1.3.1 |
| tp-link | g611_firmware | 1.2.2 |
| tp-link | g36_firmware | 1.1.4 |
| tp-link | er706w-4g_firmware | 1.2.1 |
| tp-link | er7206_firmware | * |
| tp-link | er7206_firmware | 2.2.2 |
| tp-link | er706w_firmware | * |
| tp-link | er706w-4g_firmware | * |
| tp-link | er605_firmware | 2.3.1 |
| tp-link | er8411_firmware | 1.3.3 |
An attacker may obtain the root shell on the underlying OS system with the restricted conditions on Omada gateways.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | g611_firmware | * |
| tp-link | er706w_firmware | 1.2.1 |
| tp-link | er7412-m2_firmware | * |
| tp-link | er605_firmware | * |
| tp-link | fr307-m2_firmware | * |
| tp-link | fr205_firmware | * |
| tp-link | fr307-m2_firmware | 1.2.5 |
| tp-link | er7412-m2_firmware | 1.1.0 |
| tp-link | er7212pc_firmware | * |
| tp-link | er707-m2_firmware | * |
| tp-link | er8411_firmware | * |
| tp-link | g36_firmware | * |
| tp-link | fr365_firmware | 1.1.10 |
| tp-link | er7212pc_firmware | 2.1.3 |
| tp-link | fr205_firmware | 1.0.3 |
| tp-link | fr365_firmware | * |
| tp-link | er707-m2_firmware | 1.3.1 |
| tp-link | g611_firmware | 1.2.2 |
| tp-link | g36_firmware | 1.1.4 |
| tp-link | er706w-4g_firmware | 1.2.1 |
| tp-link | er7206_firmware | * |
| tp-link | er7206_firmware | 2.2.2 |
| tp-link | er706w_firmware | * |
| tp-link | er706w-4g_firmware | * |
| tp-link | er605_firmware | 2.3.1 |
| tp-link | er8411_firmware | 1.3.3 |
A stack-based buffer overflow vulnerability was identified in the ONVIF SOAP XML Parser in Tapo C200 v3 and C520WS v2.6. When processing XML tags with namespace prefixes, the parser fails to validate the prefix length before copying it to a fixed-size stack buffer. It allowed a crafted SOAP request with an oversized namespace prefix to cause memory corruption in stack. An unauthenticated attacker on the same local network may exploit this flaw to enable remote code execution with elevated privileges, leading to full compromise of the device.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tapo_c200_firmware | 1.3.7 |
| tp-link | tapo_c200_firmware | 1.4.1 |
| tp-link | tapo_c200_firmware | 1.4.4 |
| tp-link | tapo_c200_firmware | 1.3.3 |
| tp-link | tapo_c200_firmware | 1.3.5 |
| tp-link | tapo_c200_firmware | 1.3.4 |
| tp-link | tapo_c200_firmware | 1.3.11 |
| tp-link | tapo_c200_firmware | 1.3.15 |
| tp-link | tapo_c200_firmware | 1.3.9 |
| tp-link | tapo_c200_firmware | 1.3.14 |
| tp-link | tapo_c200_firmware | 1.3.13 |
| tp-link | tapo_c200_firmware | 1.4.2 |
The TP-Link KP303 Smartplug can be issued unauthenticated protocol commands that may cause unintended power-off condition and potential information leak. This issue affects TP-Link KP303 (US) Smartplug: before 1.1.0.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | kp303_firmware | * |
A Null Pointer Dereference vulnerability exists in the referer header check of the web portal of TP-Link TL-WR841N v14, caused by improper input validation. A remote, unauthenticated attacker can exploit this flaw and cause Denial of Service on the web portal service.This issue affects TL-WR841N v14: before 250908.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr841n_firmware | * |
A Cross-Site Scripting (XSS) vulnerability was identified in a parameter in Omada Controllers due to improper input sanitization. Exploitation requires advanced conditions, such as network positioning or emulating a trusted entity, and user interaction by an authenticated administrator. If successful, an attacker could execute arbitrary JavaScript in the administrator’s browser, potentially exposing sensitive information and compromising confidentiality.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | oc220_firmware | * |
| tp-link | omada_controller | * |
| tp-link | oc300_firmware | * |
| tp-link | oc400_firmware | * |
| tp-link | oc200_firmware | * |
An authentication weakness was identified in Omada Controllers, Gateways and Access Points, controller-device adoption due to improper handling of random values. Exploitation requires advanced network positioning and allows an attacker to intercept adoption traffic and forge valid authentication through offline precomputation, potentially exposing sensitive information and compromising confidentiality.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | dr3650v_firmware | * |
| tp-link | eap610_firmware | * |
| tp-link | er701-5g-outdoor_firmware | * |
| tp-link | er605_firmware | * |
| tp-link | eap610gp-desktop_firmware | * |
| tp-link | eap653_ur_firmware | * |
| tp-link | eap603gp-desktop_firmware | * |
| tp-link | eap625-outdoor_hd_firmware | * |
| tp-link | er605w_firmware | * |
| tp-link | eap725-wall_firmware | * |
| tp-link | eap620_hd_firmware | * |
| tp-link | eap783_firmware | * |
| tp-link | er7212pc_firmware | * |
| tp-link | eap772_firmware | * |
| tp-link | er707-m2_firmware | * |
| tp-link | eap615-wall_firmware | * |
| tp-link | eap650-outdoor_firmware | * |
| tp-link | eap610-outdoor_firmware | * |
| tp-link | er703wp-4g-outdoor_firmware | * |
| tp-link | dr3220v-4g_firmware | * |
| tp-link | eap603-outdoor_firmware | * |
| tp-link | eap770_firmware | * |
| tp-link | eap625gp-wall_firmware | * |
| tp-link | eap787_firmware | * |
| tp-link | eap772-outdoor_firmware | * |
| tp-link | er7206_firmware | * |
| tp-link | eap623-outdoor_hd_firmware | * |
| tp-link | eap615gp-wall_firmware | * |
| tp-link | eap720_firmware | * |
| tp-link | oc220_firmware | * |
| tp-link | er7406_firmware | * |
| tp-link | er7412-m2_firmware | * |
| tp-link | omada_controller | * |
| tp-link | oc300_firmware | * |
| tp-link | er706wp-4g_firmware | * |
| tp-link | eap653_firmware | * |
| tp-link | oc200_firmware | * |
| tp-link | oc220_firmware | - |
| tp-link | eap773_firmware | * |
| tp-link | eap650gp-desktop_firmware | * |
| tp-link | eap100-bridge_kit_firmware | * |
| tp-link | oc400_firmware | * |
| tp-link | g36w-4g_firmware | * |
| tp-link | er8411_firmware | * |
| tp-link | beam_bridge_5_ur_firmware | * |
| tp-link | fr365_firmware | * |
| tp-link | eap723_firmware | * |
| tp-link | eap211_bridge_kit_firmware | * |
| tp-link | dr3650v-4g_firmware | * |
| tp-link | eap655-wall_firmware | * |
| tp-link | eap650-desktop_firmware | * |
| tp-link | eap660_hd_firmware | * |
| tp-link | eap230-wall_firmware | * |
| tp-link | er706w_firmware | * |
| tp-link | er706w-4g_firmware | * |
| tp-link | eap235-wall_firmware | * |
| tp-link | eap215_bridge_kit_firmware | * |
A permissive web security configuration may allow cross-origin restrictions enforced by modern browsers to be bypassed under specific circumstances. Exploitation requires the presence of an existing client-side injection vulnerability and user access to the affected web interface. Successful exploitation could allow unauthorized disclosure of sensitive information. Fixed in updated Omada Cloud Controller service versions deployed automatically by TP‑Link. No user action is required.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tpcamera | * |
| tp-link | festa | * |
| tp-link | tp-partner | * |
| tp-link | aginet | * |
| tp-link | deco | * |
| tp-link | vigi | * |
| tp-link | omada | * |
| tp-link | kasa | * |
| tp-link | kidshield | * |
| tp-link | tapo | * |
| tp-link | tether | * |
| tp-link | wi-fi_navi | * |
| tp-link | wifi_toolkit | * |
| tp-link | omada_guard | * |
A vulnerability in the certificate validation logic may allow applications to accept untrusted or improperly validated server identities during TLS communication. An attacker in a privileged network position may be able to intercept or modify traffic if they can position themselves within the communication channel. Successful exploitation may compromise confidentiality, integrity, and availability of application data.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tpcamera | * |
| tp-link | festa | * |
| tp-link | tp-partner | * |
| tp-link | aginet | * |
| tp-link | deco | * |
| tp-link | vigi | * |
| tp-link | omada | * |
| tp-link | kasa | * |
| tp-link | kidshield | * |
| tp-link | tapo | * |
| tp-link | tether | * |
| tp-link | wi-fi_navi | * |
| tp-link | wifi_toolkit | * |
| tp-link | omada_guard | * |
The authenticated remote command execution (RCE) vulnerability exists in the Parental Control page on TP-Link Archer C7(EU) V2 and TL-WR841N/ND(MS) V9. This issue affects Archer C7(EU) V2: before 241108 and TL-WR841N/ND(MS) V9: before 241108. Both products have reached the status of EOL (end-of-life). It's recommending to purchase the new product to ensure better performance and security. If replacement is not an option in the short term, please use the second reference link to download and install the patch(es).
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.2 | HIGH | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H | 1.2 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | archer_c7_firmware | * |
| tp-link | tl-wr841nd_firmware | * |
| tp-link | tl-wr841n_firmware | * |
An IDOR vulnerability exists in Omada Controllers that allows an attacker with Administrator permissions to manipulate requests and potentially hijack the Owner account.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | omada_controller | * |
Password Confirmation Bypass vulnerability in Omada Controllers, allowing an attacker with a valid session token to bypass secondary verification, and change the user’s password without proper confirmation, leading to weakened account security.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | omada_controller | * |
Blind Server-Side Request Forgery (SSRF) in Omada Controllers through webhook functionality, enabling crafted requests to internal services, which may lead to enumeration of information.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | omada_controller | * |
An OS Command Injection vulnerability in TP-Link Archer BE230 v1.2(web modules) and Archer AXE75 v1.0 allows adjacent authenticated attacker to execute arbitrary code. Successful exploitation could allow an attacker to gain full administrative control of the device, resulting in severe compromise of configuration integrity, network security, and service availability. This CVE covers one of multiple distinct OS command injection issues identified across separate code paths. Although similar in nature, each instance is tracked under a unique CVE ID.This issue affects Archer BE230 v1.2 < 1.2.4 Build 20251218 rel.70420 and Archer AXE v1.0 < 1.5.3 Build 20260209 rel. 71108.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | archer_be230_firmware | * |
An OS Command Injection vulnerability in TP-Link Archer BE230 v1.2(vpn modules) allows an adjacent authenticated attacker to execute arbitrary code. Successful exploitation could allow an attacker to gain full administrative control of the device, resulting in severe compromise of configuration integrity, network security, and service availability. This CVE covers one of multiple distinct OS command injection issues identified across separate code paths. Although similar in nature, each instance is tracked under a unique CVE ID.This issue affects Archer BE230 v1.2 < 1.2.4 Build 20251218 rel.70420.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | archer_be230_firmware | * |
A path traversal vulnerability was identified TP-Link Tapo C260 v1, D235 v1 and C520WS v2.6 within the HTTP server’s handling of GET requests. The server performs path normalization before fully decoding URL encoded input and falls back to using the raw path when normalization fails. An attacker can exploit this logic flaw by supplying crafted, URL encoded traversal sequences that bypass directory restrictions and allow access to files outside the intended web root. Successful exploitation may allow authenticated attackers to get disclosure of sensitive system files and credentials, while unauthenticated attackers may gain access to non-sensitive static assets.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tapo_c260_firmware | * |
On TP-Link Tapo C260 v1, command injection vulnerability exists due to improper sanitization in certain POST parameters during configuration synchronization. An authenticated attacker can execute arbitrary system commands with high impact on confidentiality, integrity and availability. It may cause full device compromise.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tapo_c260_firmware | * |
On TP-Link Tapo C260 v1 and D235 v1, a guest‑level authenticated user can bypass intended access restrictions by sending crafted requests to a synchronization endpoint. This allows modification of protected device settings despite limited privileges. An attacker may change sensitive configuration parameters without authorization, resulting in unauthorized device state manipulation but not full code execution.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tapo_c260_firmware | * |
Improper input handling in the administration web interface on TP-Link Deco BE25 v1.0 allows crafted input to be executed as part of an OS command. An authenticated adjacent attacker may execute arbitrary commands via crafted configuration file, impacting confidentiality, integrity and availability of the device. This issue affects Deco BE25 v1.0: through 1.1.1 Build 20250822.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | deco_be25_firmware | * |
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in TP-Link Deco BE25 v1.0 (web modules) allows authenticated adjacent attacker to read arbitrary files or cause denial of service. This issue affects Deco BE25 v1.0: through 1.1.1 Build 20250822.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | deco_be25_firmware | * |
Logic vulnerability in TP-Link Archer C20 v5, 6.0, Archer AX53 v1.0 and TL-WR841N v13 (TDDP module) allows unauthenticated adjacent attackers to execute administrative commands including factory reset and device reboot without credentials. Attackers on the adjacent network can remotely trigger factory resets and reboots without credentials, causing configuration loss and interruption of device availability. This issue affects Archer C20 v6.0 < V6_251031, Archer C20 v5 <EU_V5_260317 or < US_V5_260419 Archer AX53 v1.0 < V1_251215 TL-WR841N v13 < 0.9.1 Build 20231120 Rel.62366
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | archer_c20_firmware | 6.0 |
| tp-link | archer_ax53_firmware | 1.0 |
The Tapo C220 v1 and C520WS v2 cameras’ HTTP service does not safely handle POST requests containing an excessively large Content-Length header. The resulting failed memory allocation triggers a NULL pointer dereference, causing the main service process to crash. An unauthenticated attacker can repeatedly crash the service, causing temporary denial of service. The device restarts automatically, and repeated requests can keep it unavailable.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tapo_c220_firmware | * |
| tp-link | tapo_c520ws_firmware | * |
The HTTP parser of Tapo C210 v3, C220 v1 and C520WS v2 cameras improperly handles requests containing an excessively long URL path. An invalid‑URL error path continues into cleanup code that assumes allocated buffers exist, leading to a crash and service restart. An unauthenticated attacker can force repeated service crashes or device reboots, causing denial of service.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tapo_c220_firmware | * |
| tp-link | tapo_c520ws_firmware | * |
By sending crafted files to the firmware update endpoint of Tapo C220 v1 and C520WS v2, the device terminates core system services before verifying authentication or firmware integrity. An unauthenticated attacker can trigger a persistent denial of service, requiring a manual reboot or application initiated restart to restore normal device operation.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tapo_c220_firmware | * |
| tp-link | tapo_c520ws_firmware | * |
An authenticated buffer handling flaw in TP-Link VIGI C385 V1 Web API lacking input sanitization, may allow memory corruption leading to remote code execution. Authenticated attackers may trigger buffer overflow and potentially execute arbitrary code with elevated privileges.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | vigi_c385_firmware | * |
User-controlled input is reflected into the HTML output without proper encoding on TP-Link Archer C60 v3, allowing arbitrary JavaScript execution via a crafted URL. An attacker could run script in the device web UI context, potentially enabling credential theft, session hijacking, or unintended actions if a privileged user is targeted.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | archer_c60_firmware | * |
A lack of proper input validation in the HTTP processing path in TP-Link Archer BE230 v1.2 (web modules) may allow a crafted request to cause the device’s web service to become unresponsive, resulting in a denial of service condition. A network adjacent attacker with high privileges could cause the device’s web interface to temporarily stop responding until it recovers or is rebooted. This issue affects Archer BE230 v1.2 < 1.2.4 Build 20251218 rel.70420.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | archer_be230_firmware | * |
An OS Command Injection vulnerability in TP-Link Archer BE230 v1.2(vpn modules) allows adjacent authenticated attacker execute arbitrary code. Successful exploitation could allow an attacker to gain full administrative control of the device, resulting in severe compromise of configuration integrity, network security, and service availability. This CVE covers one of multiple distinct OS command injection issues identified across separate code paths. Although similar in nature, each instance is tracked under a unique CVE ID.This issue affects Archer BE230 v1.2 < 1.2.4 Build 20251218 rel.70420.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | archer_be230_firmware | * |
An OS Command Injection vulnerability in TP-Link Archer BE230 v1.2(web modules) allows adjacent authenticated attacker to execute arbitrary code. Successful exploitation could allow an attacker to gain full administrative control of the device, resulting in severe compromise of configuration integrity, network security, and service availability. This CVE covers one of multiple distinct OS command injection issues identified across separate code paths. Although similar in nature, each instance is tracked under a unique CVE ID.This issue affects Archer BE230 v1.2 < 1.2.4 Build 20251218 rel.70420.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | archer_be230_firmware | * |
An OS Command Injection vulnerability in TP-Link Archer BE230 v1.2(vpn modules) allows adjacent authenticated attacker execute arbitrary code. Successful exploitation could allow an attacker to gain full administrative control of the device, resulting in severe compromise of configuration integrity, network security, and service availability. This CVE covers one of multiple distinct OS command injection issues identified across separate code paths. Although similar in nature, each instance is tracked under a unique CVE ID.This issue affects Archer BE230 v1.2 < 1.2.4 Build 20251218 rel.70420.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | archer_be230_firmware | * |
A command injection vulnerability may be exploited after the admin's authentication in the cloud communication interface on the TP-Link Archer BE230 v1.2. Successful exploitation could allow an attacker to gain full administrative control of the device, resulting in severe compromise of configuration integrity, network security, and service availability. This CVE covers one of multiple distinct OS command injection issues identified across separate code paths. Although similar in nature, each instance is tracked under a unique CVE ID. This issue affects Archer BE230 v1.2 < 1.2.4 Build 20251218 rel.70420.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | archer_be230_firmware | * |
A command injection vulnerability may be exploited after the admin's authentication in the VPN Connection Service on the Archer BE230 v1.2 and Archer AXE75 v1.0. Successful exploitation could allow an attacker to gain full administrative control of the device, resulting in severe compromise of configuration integrity, network security, and service availability. This CVE covers one of multiple distinct OS command injection issues identified across separate code paths. Although similar in nature, each instance is tracked under a unique CVE ID. This issue affects Archer BE230 v1.2 < 1.2.4 Build 20251218 rel.70420 and Archer AXE v1.0 < 1.5.3 Build 20260209 rel. 71108.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | archer_be230_firmware | * |
A command injection vulnerability may be exploited after the admin's authentication in the VPN server configuration module on the TP-Link Archer BE230 v1.2. Successful exploitation could allow an attacker to gain full administrative control of the device, resulting in severe compromise of configuration integrity, network security, and service availability. This CVE covers one of multiple distinct OS command injection issues identified across separate code paths. Although similar in nature, each instance is tracked under a unique CVE ID. This issue affects Archer BE230 v1.2 < 1.2.4 Build 20251218 rel.70420.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | archer_be230_firmware | * |
A command injection vulnerability may be exploited after the admin's authentication via the configuration backup restoration function of the TP-Link Archer BE230 v1.2. Successful exploitation could allow an attacker to gain full administrative control of the device, resulting in severe compromise of configuration integrity, network security, and service availability. This CVE covers one of multiple distinct OS command injection issues identified across separate code paths. Although similar in nature, each instance is tracked under a unique CVE ID. This issue affects Archer BE230 v1.2 < 1.2.4 Build 20251218 rel.70420.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | archer_be230_firmware | * |
An authenticated user with high privileges may trigger a denial‑of‑service condition in TP-Link Archer BE230 v1.2 by restoring a crafted configuration file containing an excessively long parameter. Restoring such a file can cause the device to become unresponsive, requiring a reboot to restore normal operation. This issue affects Archer BE230 v1.2 < 1.2.4 Build 20251218 rel.70420.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | archer_be230_firmware | * |
A command injection vulnerability may be exploited after the admin's authentication via the import of a crafted VPN client configuration file on the TP-Link Archer BE230 v1.2 and Deco BE25 v1.0. Successful exploitation could allow an attacker to gain full administrative control of the device, resulting in severe compromise of configuration integrity, network security, and service availability. This CVE covers one of multiple distinct OS command injection issues identified across separate code paths. Although similar in nature, each instance is tracked under a unique CVE ID. This issue affects Archer BE230 v1.2 < 1.2.4 Build 20251218 rel.70420 and Deco BE25 v1.0: through 1.1.1 Build 20250822.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | archer_be230_firmware | * |
A command injection vulnerability was identified in TP-Link TL-WR802N v4, TL-WR841N v14, and TL-WR840N v6 due to improper neutralization of special elements used in an OS command. In the router configuration import function allows an authenticated attacker to upload a crafted configuration file that results in execution of OS commands with root privileges during port-trigger processing. Successful exploitation allows an authenticated attacker to execute system commands with root privileges, leading to full device compromise.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.8 | MEDIUM | CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H | 0.9 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr840n_firmware | * |
| tp-link | tl-wr841n_firmware | * |
| tp-link | tl-wr802n_firmware | * |
A heap-based buffer overflow vulnerability was identified in TP-Link Tapo C520WS v2.6 in the HTTP POST body parsing logic due to missing validation of remaining buffer capacity after dynamic allocation, due to insufficient boundary validation when handling externally supplied HTTP input. An attacker on the same network segment could trigger heap memory corruption conditions by sending crafted payloads that cause write operations beyond allocated buffer boundaries. Successful exploitation causes a Denial-of-Service (DoS) condition, causing the device’s process to crash or become unresponsive.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tapo_c520ws_firmware | * |
A heap-based buffer overflow vulnerability was identified in TP-Link Tapo C520WS v2.6 within the HTTP parsing loop when appending segmented request bodies without continuous write‑boundary verification, due to insufficient boundary validation when handling externally supplied HTTP input. An attacker on the same network segment could trigger heap memory corruption conditions by sending crafted payloads that cause write operations beyond allocated buffer boundaries. Successful exploitation causes a Denial-of-Service (DoS) condition, causing the device’s process to crash or become unresponsive.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tapo_c520ws_firmware | * |
A heap-based buffer overflow vulnerability was identified in TP-Link Tapo C520WS v2.6 within the asynchronous parsing of local video stream content due to insufficient alignment and validation of buffer boundaries when processing streaming inputs.An attacker on the same network segment could trigger heap memory corruption conditions by sending crafted payloads that cause write operations beyond allocated buffer boundaries. Successful exploitation causes a Denial-of-Service (DoS) condition, causing the device’s process to crash or become unresponsive.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tapo_c520ws_firmware | * |
An authentication bypass vulnerability within the HTTP handling of the DS configuration service in TP-Link Tapo C520WS v2.6 was identified, due to inconsistent parsing and authorization logic in JSON requests during authentication check. An unauthenticated attacker can append an authentication-exempt action to a request containing privileged DS do actions, bypassing authorization checks. Successful exploitation allows unauthenticated execution of restricted configuration actions, which may result in unauthorized modification of device state.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tapo_c520ws_firmware | * |
A stack-based buffer overflow vulnerability was identified in TP-Link Tapo C520WS v2.6 within a configuration handling component due to insufficient input validation. An attacker can exploit this vulnerability by supplying an excessively long value for a vulnerable configuration parameter, resulting in a stack overflow. Successful exploitation results in Denial-of-Service (DoS) condition, leading to a service crash or device reboot, impacting availability.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tapo_c520ws_firmware | * |
A denial-of-service vulnerability was identified in TP-Link Tapo C520WS v2.6 within the HTTP request path parsing logic. The implementation enforces length restrictions on the raw request path but does not account for path expansion performed during normalization. An attacker on the adjacent network may send a crafted HTTP request to cause buffer overflow and memory corruption, leading to system interruption or device reboot.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tapo_c520ws_firmware | * |
The vulnerability exists in the UPnP component of TL-WR841N v14, where improper input validation leads to an out-of-bounds read, potentially causing a crash of the UPnP service. Successful exploitation can cause the UPnP service to crash, resulting in a Denial-of-Service condition. This vulnerability affects TL-WR841N v14 < EN_0.9.1 4.19 Build 260303 Rel.42399n (V14_260303) and < US_0.9.1.4.19 Build 260312 Rel. 49108n (V14_0304).
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr841n_firmware | * |
The vulnerability affecting TL-WR850N v3 allows cleartext storage of administrative and Wi-Fi credentials in a region of the device’s flash memory while the serial interface remains enabled and protected by weak authentication. An attacker with physical access and the ability to connect to the serial port can recover sensitive information, including the router’s management password and wireless network key. Successful exploitation can lead to full administrative control of the device and unauthorized access to the associated wireless network.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| tp-link | tl-wr850n_firmware | * |