6 matches found
Cross site request forgery (csrf)
The web management interface in the TP-Link EAP Controller and Omada Controller versions 2.5.4Windows/2.6.0Windows does not have Anti-CSRF tokens in any forms. This would allow an attacker to submit authenticated requests when an authenticated user browses an attack-controlled domain. This is fix...
Cross site scripting
Stored Cross-site scripting XSS vulnerability in the TP-Link EAP Controller and Omada Controller versions 2.5.4Windows/2.6.0Windows allows authenticated attackers to inject arbitrary web script or HTML via the userName parameter in the local user creation functionality. This is fixed in version...
CVE-2018-10167
The web application backup file in the TP-Link EAP Controller and Omada Controller versions 2.5.4Windows/2.6.0Windows is encrypted with a hard-coded cryptographic key, so anyone who knows that key and the algorithm can decrypt it. A low-privilege user could decrypt and modify the backup file in...
CVE-2018-10164
Stored Cross-site scripting XSS vulnerability in the TP-Link EAP Controller and Omada Controller versions 2.5.4Windows/2.6.0Windows allows authenticated attackers to inject arbitrary web script or HTML via the implementation of portalPictureUpload functionality. This is fixed in version...
CVE-2018-10167
The web application backup file in the TP-Link EAP Controller and Omada Controller versions 2.5.4Windows/2.6.0Windows is encrypted with a hard-coded cryptographic key, so anyone who knows that key and the algorithm can decrypt it. A low-privilege user could decrypt and modify the backup file in...
CVE-2018-10164
Stored Cross-site scripting XSS vulnerability in the TP-Link EAP Controller and Omada Controller versions 2.5.4Windows/2.6.0Windows allows authenticated attackers to inject arbitrary web script or HTML via the implementation of portalPictureUpload functionality. This is fixed in version...