Tianfeng Guan

**Name of the Vulnerable Software and Affected Versions** TP-Link TL-WVR, TL-WAR, TL-ER, and TL-R devices (affected versions not specified) **Description** The issue allows remote authenticated users to execute arbitrary commands by injecting shell metacharacters in the `iface` field of an admin/diagnostic command to the "cgi-bin/luci" endpoint. This is related to the `zone get effect devices` function in the `/usr/lib/lua/luci/controller/admin/diagnostic.lua` file in `uhttpd`. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TP-Link TL-WVR, TL-WAR, TL-ER, and TL-R devices (affected versions not specified) **Description** The issue allows remote authenticated users to execute arbitrary commands by injecting shell metacharacters in the `t bindif` field of an admin/bridge command to "cgi-bin/luci". This is related to the `get device byif` function in `/usr/lib/lua/luci/controller/admin/bridge.lua` in `uhttpd`. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TP-Link TL-WVR, TL-WAR, TL-ER, and TL-R devices (affected versions not specified) **Description** The locale feature in cgi-bin/luci allows remote authenticated users to test for the existence of arbitrary files. This is achieved by making an operation=write;locale=%0d request, followed by an operation=read request with a crafted Accept-Language HTTP header. The issue is related to the set sysinfo and get sysinfo functions in /usr/lib/lua/luci/controller/locale.lua in uhttpd. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TP-Link TL-WVR, TL-WAR, TL-ER, and TL-R devices (affected versions not specified) **Description** The issue allows remote authenticated users to execute arbitrary commands by injecting shell metacharacters in the `t bindif` field of an admin/interface command to "cgi-bin/luci". This is related to the `get device byif` function in `/usr/lib/lua/luci/controller/admin/interface.lua` in `uhttpd`. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Asuswrt-Merlin firmware versions prior to 380.67 0 **Description** A stack buffer overflow issue exists in the httpd component of Asuswrt-Merlin firmware, allowing remote attackers to execute arbitrary code on the router. This can be achieved by sending a crafted HTTP GET request packet that includes a long `delete offline client` parameter in the URL. **Recommendations** For Asuswrt-Merlin firmware versions prior to 380.67 0, update to a version later than 380.67 0 to resolve the issue. As a temporary workaround, consider restricting access to the httpd component until a patch is available. Avoid using the `delete offline client` parameter in the affected HTTP endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Asuswrt-Merlin firmware versions (affected versions not specified) ASUS firmware for ASUS devices versions (affected versions not specified) **Description** A global buffer overflow issue exists in the networkmap of Asuswrt-Merlin firmware for ASUS devices and ASUS firmware, allowing remote attackers to write shellcode at any address in the heap. This can be exploited to execute arbitrary code on the router by hosting a crafted device description XML document at a URL specified within a Location header in an SSDP response. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.