| Max CVSS | 6.8 | Min CVSS | 3.5 | Total Count | 2 |
| ID | CVSS | Summary | Last (major) update | Published | |
| CVE-2018-10168 | 6.5 |
TP-Link EAP Controller and Omada Controller versions 2.5.4_Windows/2.6.0_Windows do not control privileges for usage of the Web API, allowing a low-privilege user to make any request as an Administrator. This is fixed in version 2.6.1_Windows.
|
03-10-2019 - 00:03 | 03-05-2018 - 18:29 | |
| CVE-2018-10167 | 6.0 |
The web application backup file in the TP-Link EAP Controller and Omada Controller versions 2.5.4_Windows/2.6.0_Windows is encrypted with a hard-coded cryptographic key, so anyone who knows that key and the algorithm can decrypt it. A low-privilege u
|
12-06-2018 - 18:30 | 03-05-2018 - 18:29 | |
| CVE-2018-10165 | 3.5 |
Stored Cross-site scripting (XSS) vulnerability in the TP-Link EAP Controller and Omada Controller versions 2.5.4_Windows/2.6.0_Windows allows authenticated attackers to inject arbitrary web script or HTML via the userName parameter in the local user
|
12-06-2018 - 18:28 | 03-05-2018 - 18:29 | |
| CVE-2018-10166 | 6.8 |
The web management interface in the TP-Link EAP Controller and Omada Controller versions 2.5.4_Windows/2.6.0_Windows does not have Anti-CSRF tokens in any forms. This would allow an attacker to submit authenticated requests when an authenticated user
|
12-06-2018 - 18:28 | 03-05-2018 - 18:29 | |
| CVE-2018-10164 | 3.5 |
Stored Cross-site scripting (XSS) vulnerability in the TP-Link EAP Controller and Omada Controller versions 2.5.4_Windows/2.6.0_Windows allows authenticated attackers to inject arbitrary web script or HTML via the implementation of portalPictureUploa
|
12-06-2018 - 18:28 | 03-05-2018 - 18:29 |