| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 1 Mar 2024 12:51:30 +0400 From: Shaikh Shahnawaz <sshahnawaz99910@...il.com> To: fulldisclosure@...lists.org Subject: [FD] JetStream Smart Switch - TL-SG2210P v5.0/ Improper Access Control / CVE-2023-43318 [+] Credits: Shahnawaz Shaikh, Security Researcher at Cybergate Defense LLC [+] twitter.com/_striv3r_ [Vendor] Tp-Link (http://tp-link.com) [Product] JetStream Smart Switch - TL-SG2210P v5.0 Build 20211201 [Vulnerability Type] Improper Access Control [Affected Product Code Base] JetStream Smart Switch - TL-SG2210P v5.0 Build 20211201 [Affected Component] usermanagement, swtmactablecfg endpoints of webconsole [CVE Reference] CVE-2023-43318 [Security Issue] TP-Link JetStream Smart Switch TL-SG2210P 5.0 Build 20211201 allows attackers to escalate privileges via modification of the 'tid' and 'usrlvl' values in GET requests. [Exploit/POC] N/A [Network Access] Remote [Severity] High [Disclosure Timeline] Vendor Notification: September 12, 2023 Vendor released fixed firmware TL-SG2210P(UN)_V5.20_5.20.1 Build 20240202: February 29, 2024 March 1, 2024 : Public Disclosure _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists