Monthly Archives: February 2017

Full Disclosure

TP-Link C2 and C20i vulnerable to command injection (authenticated root RCE), DoS, improper firewall rules

Posted by Pierre Kim on Feb 09

## Advisory Information

Title: TP-Link C2 and C20i vulnerable to command injection
(authenticated root RCE), DoS, improper firewall rules
Advisory URL: https://pierrekim.github.io/advisories/2017-tplink-0x00.txt
Blog URL: https://pierrekim.github.io/blog/2017-02-09-tplink-c2-and-c20i-vulnerable.html
Date published: 2017-02-09
Vendors contacted: TP-Link
Release mode: Released
CVE: no current CVE

## Product Description

TP-Link is a Chinese…

NVD

CVE-2017-5591

An incorrect implementation of “XEP-0280: Message Carbons” in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application’s display. This allows for various kinds of social engineering attacks. This CVE is for SleekXMPP up to 1.3.1 and Slixmpp all versions up to 1.2.3, as bundled in poezio (0.8 – 0.10) and other products.

NVD

CVE-2017-5592

An incorrect implementation of “XEP-0280: Message Carbons” in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application’s display. This allows for various kinds of social engineering attacks. This CVE is for profanity (0.4.7 – 0.5.0).

NVD

CVE-2017-5593

An incorrect implementation of “XEP-0280: Message Carbons” in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application’s display. This allows for various kinds of social engineering attacks. This CVE is for Psi+ (0.16.563.580 – 0.16.571.627).