CVE-2017-17758

Name of the Vulnerable Software and Affected Versions TP-Link TL-WVR and TL-WAR devices (affected versions not specified)

Description The issue allows remote authenticated users to execute arbitrary commands by injecting shell metacharacters in the interface field of an admin/dhcps command to the "cgi-bin/luci" endpoint. This is related to the zone get iface bydev function in the /usr/lib/lua/luci/controller/admin/dhcps.lua file in uhttpd.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.