Tp Link · Tp-Link Tl-War · CVE-2017-17757
**Name of the Vulnerable Software and Affected Versions**
TP-Link TL-WVR and TL-WAR devices (affected versions not specified)
**Description**
The issue allows remote authenticated users to execute arbitrary commands by injecting shell metacharacters in the interface field of an admin/wportal command to the "cgi-bin/luci" endpoint. This is related to the `get device byif` function in the `/usr/lib/lua/luci/controller/admin/wportal.lua` file in `uhttpd`.
**Recommendations**
At the moment, there is no information about a newer version that contains a fix for this vulnerability.