vendor:
WL54AP3 and WL54AP2
by:
Jussi Vuokko and Henri Lindberg
N/A
CVSS
N/A
Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS)
352 (Cross-Site Request Forgery (CSRF)) and 79 (Cross-Site Scripting (XSS))
CWE
Product Name: WL54AP3 and WL54AP2
Affected Version From: Any firmware
Affected Version To: Any firmware
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit:
N/A
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2008
A-Link WL54AP3 and WL54AP2 CSRF+XSS vulnerability
A-Link WLAN54AP3 does not validate the origin of an HTTP request. If attacker is able to make user view malicious content, the WLAN54AP3 device can be controlled by submitting malicious HTTP requests. This is possible because the device does not require authentication for administrative requests. In addition, no input validation or output encoding is performed in management interface, thus making it vulnerable to cross-site scripting.
Mitigation:
Vendor has released an updated version
