CVE-2018-11714

9.8CRITICAL

Key Information:

Vendor: Tp-link
Status: Tl-wr840n Firmware
Vendor: CVE Published:; 4 June 2018

Summary

An issue was discovered on TP-Link TL-WR840N v5 00000005 0.9.1 3.16 v0001.0 Build 170608 Rel.58696n and TL-WR841N v13 00000013 0.9.1 4.16 v0001.0 Build 170622 Rel.64334n devices. This issue is caused by improper session handling on the /cgi/ folder or a /cgi file. If an attacker sends a header of "Referer: http://192.168.0.1/mainFrame.htm" then no authentication is required for any action.

References

http://blog.securelayer7.net/time-to-disable-tp-link-home...

x_refsource_MISC

https://www.exploit-db.com/exploits/44781/

exploitx_refsource_EXPLOIT-DB

EPSS Score

20% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability Reserved
Oct 3, 2022
Vulnerability published
Jun 4, 2018