TP-Link WDR Series devices through firmware v3 (such as TL-WDR5620 V3.0) are affected by command injection (after login) leading to remote code execution, because shell metacharacters can be included in the weather get_weather_observe citycode field.
2019-01-18T10:29:00.190
2024-11-21T04:46:32.233
Modified
CVSSv3.0: 8.8 (HIGH)
AV:N/AC:L/Au:S/C:P/I:P/A:P
8.0
6.4
| Type | Vendor | Product | Version/Range | Vulnerable? |
|---|---|---|---|---|
| Operating System | tp-link | tl-wdr5620_firmware | ≤ 3.0 | Yes |
| Hardware | tp-link | tl-wdr5620 | - | No |
| Operating System | tp-link | tl-wdr3500_firmware | ≤ 3.0 | Yes |
| Hardware | tp-link | tl-wdr3500 | - | No |
| Operating System | tp-link | tl-wdr3600_firmware | ≤ 3.0 | Yes |
| Hardware | tp-link | tl-wdr3600 | - | No |
| Operating System | tp-link | tl-wdr4300_firmware | ≤ 3.0 | Yes |
| Hardware | tp-link | tl-wdr4300 | - | No |
| Operating System | tp-link | tl-wdr4900_firmware | ≤ 3.0 | Yes |
| Hardware | tp-link | tl-wdr4900 | - | No |