Sign-up

ID

VAR-201410-0027


CVE

CVE-2013-2645


TITLE

TP-LINK WR1043ND Cross-site request forgery vulnerability in router firmware

Trust: 0.8

sources: JVNDB: JVNDB-2013-006658

DESCRIPTION

Multiple cross-site request forgery (CSRF) vulnerabilities on the TP-LINK WR1043N router with firmware TL-WR1043ND_V1_120405 allow remote attackers to hijack the authentication of administrators for requests that (1) enable FTP access (aka "FTP directory traversal") to /tmp via the shareEntire parameter to userRpm/NasFtpCfgRpm.htm, (2) change the FTP administrative password via the nas_admin_pwd parameter to userRpm/NasUserAdvRpm.htm, (3) enable FTP on the WAN interface via the internetA parameter to userRpm/NasFtpCfgRpm.htm, (4) launch the FTP service via the startFtp parameter to userRpm/NasFtpCfgRpm.htm, or (5) enable or disable bandwidth limits via the QoSCtrl parameter to userRpm/QoSCfgRpm.htm. The TP-LINK TL-WR1043ND is a wireless router device. The TP-LINK TL-WR1043ND router has a cross-site request forgery vulnerability that allows remote attackers to build malicious URIs, entice login users to resolve, perform malicious operations in the target user context, change administrator passwords, or enable management services. The TP-Link TL-WR1043N Router is prone to a cross-site request-forgery vulnerability. Attackers can exploit this issue to perform certain administrative actions and gain unauthorized access to the affected device

Trust: 2.52

sources: NVD: CVE-2013-2645 // JVNDB: JVNDB-2013-006658 // CNVD: CNVD-2013-04055 // BID: 59442 // VULHUB: VHN-62647

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2013-04055

AFFECTED PRODUCTS

vendor:tp linkmodel: - scope:eqversion:tl-wr1043nd_v1_120405

Trust: 1.6

vendor:tp linkmodel:tl-wr1043ndscope:eqversion:v1_120405

Trust: 0.8

vendor:tp linkmodel:tl-wr1043nd v1 120405scope: - version: -

Trust: 0.6

sources: CNVD: CNVD-2013-04055 // JVNDB: JVNDB-2013-006658 // CNNVD: CNNVD-201304-533 // NVD: CVE-2013-2645

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2013-2645
value: HIGH

Trust: 1.0

NVD: CVE-2013-2645
value: HIGH

Trust: 0.8

CNVD: CNVD-2013-04055
value: LOW

Trust: 0.6

CNNVD: CNNVD-201304-533
value: CRITICAL

Trust: 0.6

VULHUB: VHN-62647
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2013-2645
severity: HIGH
baseScore: 9.3
vectorString: AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.6
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2013-04055
severity: LOW
baseScore: 2.3
vectorString: AV:A/AC:M/AU:S/C:P/I:N/A:N
accessVector: ADJACENT_NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 4.4
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-62647
severity: HIGH
baseScore: 9.3
vectorString: AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.6
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: CNVD: CNVD-2013-04055 // VULHUB: VHN-62647 // JVNDB: JVNDB-2013-006658 // CNNVD: CNNVD-201304-533 // NVD: CVE-2013-2645

PROBLEMTYPE DATA

problemtype:CWE-352

Trust: 1.9

sources: VULHUB: VHN-62647 // JVNDB: JVNDB-2013-006658 // NVD: CVE-2013-2645

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201304-533

TYPE

cross-site request forgery

Trust: 0.6

sources: CNNVD: CNNVD-201304-533

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2013-006658

EXPLOIT AVAILABILITY
sources:
            
            
            VULHUB: VHN-62647

PATCH
title:TL-WR1043NDurl:http://www.tp-link.com/lk/search/?keywords=WR1043N
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2013-006658

EXTERNAL IDS
db:NVDid:CVE-2013-2645
Trust: 3.4
db:BIDid:59442
Trust: 1.0
db:JVNDBid:JVNDB-2013-006658
Trust: 0.8
db:CNNVDid:CNNVD-201304-533
Trust: 0.7
db:CNVDid:CNVD-2013-04055
Trust: 0.6
db:EXPLOIT-DBid:38492
Trust: 0.1
db:VULHUBid:VHN-62647
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2013-04055 // 
            
            
            
            VULHUB: VHN-62647 // 
            
            
            
            BID: 59442 // 
            
            
            
            JVNDB: JVNDB-2013-006658 // 
            
            
            
            CNNVD: CNNVD-201304-533 // 
            
            
            
            NVD: CVE-2013-2645

REFERENCES
url:http://securityevaluators.com/knowledge/case_studies/routers/tp-link_wr1043n.php
Trust: 2.5
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-2645
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-2645
Trust: 0.8
url:http://news.cnet.com/8301-1009_3-57579981-83/top-wi-fi-routers-easy-to-hack-says-study/
Trust: 0.6
url:http://securityevaluators.com/content/case-studies/routers/soho_router_hacks.jsp
Trust: 0.6
url:http://securityevaluators.com/content/case-studies/routers/tp-link_wr1043n.jsp
Trust: 0.6
url:http://www.securityfocus.com/bid/59442
Trust: 0.6
url:http://www.tp-link.com/
Trust: 0.3
sources:
            
            
            CNVD: CNVD-2013-04055 // 
            
            
            
            VULHUB: VHN-62647 // 
            
            
            
            BID: 59442 // 
            
            
            
            JVNDB: JVNDB-2013-006658 // 
            
            
            
            CNNVD: CNNVD-201304-533 // 
            
            
            
            NVD: CVE-2013-2645

CREDITS
Jacob Holcomb, Independent Security Evaluators
Trust: 0.9
sources:
            
            
            BID: 59442 // 
            
            
            
            CNNVD: CNNVD-201304-533

SOURCES
db:CNVDid:CNVD-2013-04055
db:VULHUBid:VHN-62647
db:BIDid:59442
db:JVNDBid:JVNDB-2013-006658
db:CNNVDid:CNNVD-201304-533
db:NVDid:CVE-2013-2645

LAST UPDATE DATE
2024-08-14T15:44:46.148000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2013-04055date:2013-04-24T00:00:00
db:VULHUBid:VHN-62647date:2014-10-06T00:00:00
db:BIDid:59442date:2013-04-24T00:00:00
db:JVNDBid:JVNDB-2013-006658date:2014-10-07T00:00:00
db:CNNVDid:CNNVD-201304-533date:2015-04-30T00:00:00
db:NVDid:CVE-2013-2645date:2014-10-06T18:50:36.540

SOURCES RELEASE DATE
db:CNVDid:CNVD-2013-04055date:2013-04-24T00:00:00
db:VULHUBid:VHN-62647date:2014-10-06T00:00:00
db:BIDid:59442date:2013-04-24T00:00:00
db:JVNDBid:JVNDB-2013-006658date:2014-10-07T00:00:00
db:CNNVDid:CNNVD-201304-533date:2013-04-25T00:00:00
db:NVDid:CVE-2013-2645date:2014-10-06T01:55:07.727