CVE-2017-16959

Name of the Vulnerable Software and Affected Versions TP-Link TL-WVR, TL-WAR, TL-ER, and TL-R devices (affected versions not specified)

Description The locale feature in cgi-bin/luci allows remote authenticated users to test for the existence of arbitrary files. This is achieved by making an operation=write;locale=%0d request, followed by an operation=read request with a crafted Accept-Language HTTP header. The issue is related to the set sysinfo and get sysinfo functions in /usr/lib/lua/luci/controller/locale.lua in uhttpd.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.