CVE-2017-16957

Name of the Vulnerable Software and Affected Versions TP-Link TL-WVR, TL-WAR, TL-ER, and TL-R devices (affected versions not specified)

Description The issue allows remote authenticated users to execute arbitrary commands by injecting shell metacharacters in the iface field of an admin/diagnostic command to the "cgi-bin/luci" endpoint. This is related to the zone get effect devices function in the /usr/lib/lua/luci/controller/admin/diagnostic.lua file in uhttpd.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.