Filtered by vendor Tp-link
Subscriptions
Total
364 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2018-18428 | 1 Tp-link | 2 Tl-sc3130, Tl-sc3130 Firmware | 2024-08-05 | N/A |
| TP-Link TL-SC3130 1.6.18P12_121101 devices allow unauthenticated RTSP stream access, as demonstrated by a /jpg/image.jpg URI. | ||||
| CVE-2018-16119 | 1 Tp-link | 2 Tl-wr1043nd, Tl-wr1043nd Firmware | 2024-08-05 | N/A |
| Stack-based buffer overflow in the httpd server of TP-Link WR1043nd (Firmware Version 3) allows remote attackers to execute arbitrary code via a malicious MediaServer request to /userRpm/MediaServerFoldersCfgRpm.htm. | ||||
| CVE-2018-15840 | 1 Tp-link | 2 Tl-wr840n, Tl-wr840n Firmware | 2024-08-05 | N/A |
| TP-Link TL-WR840N devices allow remote attackers to cause a denial of service (networking outage) via fragmented packets, as demonstrated by an "nmap -f" command. | ||||
| CVE-2018-15172 | 1 Tp-link | 2 Tl-wr840n, Tl-wr840n Firmware | 2024-08-05 | N/A |
| TP-Link WR840N devices have a buffer overflow via a long Authorization HTTP header. | ||||
| CVE-2018-14336 | 1 Tp-link | 1 Wr840n | 2024-08-05 | N/A |
| TP-Link WR840N devices allow remote attackers to cause a denial of service (connectivity loss) via a series of packets with random MAC addresses. | ||||
| CVE-2018-13134 | 1 Tp-link | 2 Archer C1200, Archer C1200 Firmware | 2024-08-05 | N/A |
| TP-Link Archer C1200 1.13 Build 2018/01/24 rel.52299 EU devices have XSS via the PATH_INFO to the /webpages/data URI. | ||||
| CVE-2018-12576 | 1 Tp-link | 2 Tl-wr841n, Tl-wr841n Firmware | 2024-08-05 | N/A |
| TP-Link TL-WR841N v13 00000001 0.9.1 4.16 v0001.0 Build 180119 Rel.65243n devices allow clickjacking. | ||||
| CVE-2018-12575 | 1 Tp-link | 2 Tl-wr841n, Tl-wr841n Firmware | 2024-08-05 | N/A |
| On TP-Link TL-WR841N v13 00000001 0.9.1 4.16 v0001.0 Build 171019 Rel.55346n devices, all actions in the web interface are affected by bypass of authentication via an HTTP request. | ||||
| CVE-2018-12577 | 1 Tp-link | 2 Tl-wr841n, Tl-wr841n Firmware | 2024-08-05 | N/A |
| The Ping and Traceroute features on TP-Link TL-WR841N v13 00000001 0.9.1 4.16 v0001.0 Build 180119 Rel.65243n devices allow authenticated blind Command Injection. | ||||
| CVE-2018-12574 | 1 Tp-link | 2 Tl-wr841n, Tl-wr841n Firmware | 2024-08-05 | N/A |
| CSRF exists for all actions in the web interface on TP-Link TL-WR841N v13 00000001 0.9.1 4.16 v0001.0 Build 180119 Rel.65243n devices. | ||||
| CVE-2018-11481 | 1 Tp-link | 8 Ipc Tl-ipc223\(p\)-6, Ipc Tl-ipc223\(p\)-6 Firmware, Tl-ipc323k-d and 5 more | 2024-08-05 | N/A |
| TP-LINK IPC TL-IPC223(P)-6, TL-IPC323K-D, TL-IPC325(KP)-*, and TL-IPC40A-4 devices allow authenticated remote code execution via crafted JSON data because /usr/lib/lua/luci/torchlight/validator.lua does not block various punctuation characters. | ||||
| CVE-2018-11482 | 1 Tp-link | 8 Ipc Tl-ipc223\(p\)-6, Ipc Tl-ipc223\(p\)-6 Firmware, Tl-ipc323k-d and 5 more | 2024-08-05 | N/A |
| /usr/lib/lua/luci/websys.lua on TP-LINK IPC TL-IPC223(P)-6, TL-IPC323K-D, TL-IPC325(KP)-*, and TL-IPC40A-4 devices has a hardcoded zMiVw8Kw0oxKXL0 password. | ||||
| CVE-2018-10167 | 1 Tp-link | 1 Eap Controller | 2024-08-05 | N/A |
| The web application backup file in the TP-Link EAP Controller and Omada Controller versions 2.5.4_Windows/2.6.0_Windows is encrypted with a hard-coded cryptographic key, so anyone who knows that key and the algorithm can decrypt it. A low-privilege user could decrypt and modify the backup file in order to elevate their privileges. This is fixed in version 2.6.1_Windows. | ||||
| CVE-2018-10166 | 1 Tp-link | 1 Eap Controller | 2024-08-05 | N/A |
| The web management interface in the TP-Link EAP Controller and Omada Controller versions 2.5.4_Windows/2.6.0_Windows does not have Anti-CSRF tokens in any forms. This would allow an attacker to submit authenticated requests when an authenticated user browses an attack-controlled domain. This is fixed in version 2.6.1_Windows. | ||||
| CVE-2018-10164 | 1 Tp-link | 1 Eap Controller | 2024-08-05 | N/A |
| Stored Cross-site scripting (XSS) vulnerability in the TP-Link EAP Controller and Omada Controller versions 2.5.4_Windows/2.6.0_Windows allows authenticated attackers to inject arbitrary web script or HTML via the implementation of portalPictureUpload functionality. This is fixed in version 2.6.1_Windows. | ||||
| CVE-2018-10168 | 1 Tp-link | 1 Eap Controller | 2024-08-05 | N/A |
| TP-Link EAP Controller and Omada Controller versions 2.5.4_Windows/2.6.0_Windows do not control privileges for usage of the Web API, allowing a low-privilege user to make any request as an Administrator. This is fixed in version 2.6.1_Windows. | ||||
| CVE-2018-10165 | 1 Tp-link | 1 Eap Controller | 2024-08-05 | N/A |
| Stored Cross-site scripting (XSS) vulnerability in the TP-Link EAP Controller and Omada Controller versions 2.5.4_Windows/2.6.0_Windows allows authenticated attackers to inject arbitrary web script or HTML via the userName parameter in the local user creation functionality. This is fixed in version 2.6.1_Windows. | ||||
| CVE-2018-5393 | 1 Tp-link | 1 Eap Controller | 2024-08-05 | N/A |
| The TP-LINK EAP Controller is TP-LINK's software for remotely controlling wireless access point devices. It utilizes a Java remote method invocation (RMI) service for remote control. The RMI interface does not require any authentication before use, so it lacks user authentication for RMI service commands in EAP controller versions 2.5.3 and earlier. Remote attackers can implement deserialization attacks through the RMI protocol. Successful attacks may allow a remote attacker to remotely control the target server and execute Java functions or bytecode. | ||||
| CVE-2019-19143 | 1 Tp-link | 2 Tl-wr849n, Tl-wr849n Firmware | 2024-08-05 | 6.1 Medium |
| TP-LINK TL-WR849N 0.9.1 4.16 devices do not require authentication to replace the firmware via a POST request to the cgi/softup URI. | ||||
| CVE-2019-17147 | 1 Tp-link | 2 Tl-wr841n, Tl-wr841n Firmware | 2024-08-05 | 8.8 High |
| This vulnerability allows remote attackers to execute arbitrary code on affected installations of TP-LINK TL-WR841N routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the web service, which listens on TCP port 80 by default. When parsing the Host request header, the process does not properly validate the length of user-supplied data prior to copying it to a fixed-length static buffer. An attacker can leverage this vulnerability to execute code in the context of the admin user. Was ZDI-CAN-8457. | ||||