CVE-2020-24297

Name of the Vulnerable Software and Affected Versions TP-Link TL-WPA4220 versions 2 through 4

Description The issue is related to the httpd daemon on TP-Link TL-WPA4220 devices, which fails to neutralize special elements used in an operating system command. This allows a remote authenticated user to execute arbitrary OS commands by sending a crafted POST request to the endpoint "/admin/powerline".

Recommendations For versions 2 through 4, update to the fixed version TL-WPA4220(EU) V4 201023 to resolve the issue. As a temporary workaround, consider restricting access to the "/admin/powerline" endpoint until the update is applied.