Web API Privilege Escalation in TP-Link EAP and Omada Controllers
CVE-2018-10168

8.8HIGH

Key Information:

Vendor: Tp-link
Status: Eap Controller
Vendor: CVE Published:; 3 May 2018

What is CVE-2018-10168?

The TP-Link EAP Controller and Omada Controller versions 2.5.4_Windows and 2.6.0_Windows contain a vulnerability that permits low-privileged users to interact with the Web API without appropriate authorization. This flaw allows these users to execute requests that should only be available to administrators. To mitigate this issue, it is essential to upgrade to version 2.6.1_Windows, which addresses the privilege control deficiency.

References

http://www.securityfocus.com/bid/104094

vdb-entryx_refsource_BID

https://www.coresecurity.com/advisories/tp-link-eap-contr...

x_refsource_MISC

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 3, 2018
Vulnerability Reserved
Apr 16, 2018

Tp-link

What is CVE-2018-10168?

References

CVSS V3.1

Timeline