Stored XSS Vulnerability in TP-Link EAP and Omada Controllers
CVE-2018-10164

5.4MEDIUM

Key Information:

Vendor: Tp-link
Status: Eap Controller
Vendor: CVE Published:; 3 May 2018

Summary

The stored Cross-Site Scripting vulnerability in TP-Link's EAP Controller and Omada Controller affects specific Windows versions. Authenticated attackers can exploit this issue by injecting arbitrary web scripts or HTML through the portalPictureUpload feature, leading to potential unauthorized actions on behalf of users. It is crucial for users of the affected products to upgrade to version 2.6.1_Windows to mitigate this risk.

References

http://www.securityfocus.com/bid/104094

vdb-entryx_refsource_BID

https://www.coresecurity.com/advisories/tp-link-eap-contr...

x_refsource_MISC

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
May 3, 2018
Vulnerability Reserved
Apr 16, 2018