CVE-2017-16958

Name of the Vulnerable Software and Affected Versions TP-Link TL-WVR, TL-WAR, TL-ER, and TL-R devices (affected versions not specified)

Description The issue allows remote authenticated users to execute arbitrary commands by injecting shell metacharacters in the t bindif field of an admin/bridge command to "cgi-bin/luci". This is related to the get device byif function in /usr/lib/lua/luci/controller/admin/bridge.lua in uhttpd.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.