Vulnerability CVE-2014-9510

Vulnerability Name:

CVE-2014-9510 (CCN-101295)

Assigned:

2015-01-07

Published:

2015-01-07

Updated:

2015-01-13

Summary:

Cross-site request forgery (CSRF) vulnerability in the administration console in TP-Link TL-WR840N (V1) router with firmware before 3.13.27 build 141120 allows remote attackers to hijack the authentication of administrators for requests that change router settings via a configuration file import.

CVSS v3 Severity:

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

6.8 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P)
5.3 Medium (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

4.3 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.4 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:POC/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

Vulnerability Type:

CWE-352

Vulnerability Consequences:

Gain Access

References:

Source: MITRE
Type: CNA
CVE-2014-9510

Source: CCN
Type: Full Disclosure Mailing List, Wed 7 Jan 2015
CVE-2014-9510 - TP-Link TL-WR840N Configuration Import Cross-Site Request Forgery (CSRF)

Source: FULLDISC
Type: UNKNOWN
20150107 CVE-2014-9510 - TP-Link TL-WR840N Configuration Import Cross-Site Request Forgery (CSRF)

Source: MISC
Type: UNKNOWN
http://www.secureworks.com/cyber-threat-intelligence/advisories/SWRX-2015-001/

Source: BID
Type: UNKNOWN
71913

Source: CCN
Type: BID-71913
TP-Link TL-WR840N 'Import Configuration' Option Cross Site Request Forgery Vulnerability

Source: CONFIRM
Type: Patch
http://www.tp-link.com/en/support/download/?model=TL-WR840N&version=V1

Source: CCN
Type: TP-Link Products Web site
300Mbps Wireless N Router TL-WR840N - Welcome to TP-LINK

Source: XF
Type: UNKNOWN
tplink-cve20149510-csrf(101295)

Vulnerable Configuration:

Configuration 1:

cpe:/o:tp-link:tl-wr840n_firmware:3.13.27:*:*:*:*:*:*:*

AND

cpe:/h:tp-link:tl-wr840n:1.0:*:*:*:*:*:*:*

Denotes that component is vulnerable

BACK