CVE-2018-11481

Name of the Vulnerable Software and Affected Versions TP-LINK IPC versions TL-IPC223(P)-6, TL-IPC323K-D, TL-IPC325(KP)-*, and TL-IPC40A-4

Description The issue allows authenticated remote code execution via crafted JSON data. This is because the /usr/lib/lua/luci/torchlight/validator.lua file does not block various punctuation characters.

Recommendations For TP-LINK IPC versions TL-IPC223(P)-6, TL-IPC323K-D, TL-IPC325(KP)-*, and TL-IPC40A-4, consider restricting access to the validator.lua file until a patch is available. As a temporary workaround, avoid using the /usr/lib/lua/luci/torchlight/validator.lua file for validation of user input. At the moment, there is no information about a newer version that contains a fix for this vulnerability.