关联漏洞
Description
JetStream Smart Switch - TL-SG2210P v5.0/ Improper Access Control / CVE-2023-43318
介绍
# CVE-2023-43318
## JetStream Smart Switch - TL-SG2210P v5.0/ Improper Access Control / CVE-2023-43318
[+] Credits: Shahnawaz Shaikh, Security Researcher at Cybergate Defense LLC
[+] [Twitter](twitter.com/_striv3r_)
### Vendor:
Tp-Link (http://tp-link.com)
### Product:
JetStream Smart Switch - TL-SG2210P
### Vulnerability Type:
Incorrect Access Control (DOS)
### Affected Product Code Base:
JetStream Smart Switch - TL-SG2210P 5.0 Build 20211201
### Affected Component:
usermanagement, swtmactablecfg endpoints
### Security Issue:
TP-Link JetStream Smart Switch TL-SG2210P 5.0 Build 20211201 allows attackers to escalate privileges via modification of the 'tid' and 'usrlvl' values in GET requests.
### Attack Vectors:
A successful breach could grant improper admin controls, potentially compromising the system. Lower privilege users can access admin level endpoints via their own token ID.
### CVE Reference:
CVE-2023-43318
### Network Access:
Remote
### Severity:
High
### Disclosure Timeline:
Vendor Notification: September 12, 2023
Vendor released fixed firmware TL-SG2210P(UN)_V5.20_5.20.1 Build 20240202: February 29, 2024
March 1, 2024 : Public Disclosure
文件快照
[4.0K] /data/pocs/9f315ec62b180279919d9d95e1730beb129d3315
└── [1.2K] README.md
0 directories, 1 file
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。