TP-Link WDR Series devices through firmware v3 (such as TL-WDR5620 V3.0) are affected by command injection (after login) leading to remote code execution, because shell metacharacters can be included in the weather get_weather_observe citycode field.
References
Link | Resource |
---|---|
https://github.com/0xcc-Since2016/TP-Link-WDR-Router-Command-injection_POC/blob/master/poc.py | Exploit Third Party Advisory |
Configurations
Configuration 1 (hide)
AND |
|
Configuration 2 (hide)
AND |
|
Configuration 3 (hide)
AND |
|
Configuration 4 (hide)
AND |
|
Configuration 5 (hide)
AND |
|
Information
Published : 2019-01-18 02:29
Updated : 2020-08-24 10:37
NVD link : CVE-2019-6487
Mitre link : CVE-2019-6487
JSON object : View
CWE
CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Products Affected
tp-link
- tl-wdr3500_firmware
- tl-wdr5620
- tl-wdr4300
- tl-wdr4300_firmware
- tl-wdr3500
- tl-wdr5620_firmware
- tl-wdr4900
- tl-wdr4900_firmware
- tl-wdr3600_firmware
- tl-wdr3600