Описание
The web management interface in the TP-Link EAP Controller and Omada Controller versions 2.5.4_Windows/2.6.0_Windows does not have Anti-CSRF tokens in any forms. This would allow an attacker to submit authenticated requests when an authenticated user browses an attack-controlled domain. This is fixed in version 2.6.1_Windows.
Ссылки
- Third Party AdvisoryVDB Entry
- ExploitThird Party Advisory
- Third Party AdvisoryVDB Entry
- ExploitThird Party Advisory
Уязвимые конфигурации
Конфигурация 1
Одно из
cpe:2.3:a:tp-link:eap_controller:2.5.4:*:*:*:*:windows:*:*
cpe:2.3:a:tp-link:eap_controller:2.6.0:*:*:*:*:windows:*:*
EPSS
Процентиль: 60%
0.00404
Низкий
8.8 High
CVSS3
6.8 Medium
CVSS2
Дефекты
CWE-352
Связанные уязвимости
CVSS3: 8.8
github
больше 3 лет назад
The web management interface in the TP-Link EAP Controller and Omada Controller versions 2.5.4_Windows/2.6.0_Windows does not have Anti-CSRF tokens in any forms. This would allow an attacker to submit authenticated requests when an authenticated user browses an attack-controlled domain. This is fixed in version 2.6.1_Windows.
EPSS
Процентиль: 60%
0.00404
Низкий
8.8 High
CVSS3
6.8 Medium
CVSS2
Дефекты
CWE-352