Multiple vulnerabilities in TP-Link products(CVE-2017-15613 to CVE-2017-15637)

deHakkelaar · January 11, 2018, 11:23am

chunibalon/Vulnerability/blob/master/CVE-2017-15613_to_CVE-2017-15637.txt

Multiple vulnerabilities in TP-Link products(CVE-2017-15613 to CVE-2017-15637)


Introduction:
================
The WVR-, WAR- and ER- products are the SOHO/WIFI routers of TP-Link.
These issues allow remote authenticated administrators to execute arbitrary commands via command injection through different variables of different lua files. 
If the attacker obtains the account and password of the router, then he can execute the arbitrary command through this command injection vulnerability. 
These vulnerabilities can be triggered in LAN and WAN(if the "remote management" function is enabled).


Vulnerability Type:
================
Command Injection (Authenticated)


Product:
================
We has tested these vulnerabilities on TL-WVR450L(the latest version is TL-WVR450L V1.0161125) and TL-WVR900G(TL-WVR900G V3.0_170306).
And the following model should also be affected and the vendor has confirmed:

This file has been truncated. show original