CVE-2017-17757

CVE-2017-17757 affects TP-Link TL-WVR and TL-WAR devices. The vulnerability exists in the uhttpd web interface (admin/wportal) via shell metacharacters in the interface field passed to cgi-bin/luci, related to get_device_byif in /usr/lib/lua/luci/controller/admin/wportal.lua, allowing remote auth...

Command injection

TP-Link TL-WVR, TL-WAR, TL-ER, and TL-R devices allow remote authenticated users to execute arbitrary commands via shell metacharacters in the tbindif field of an admin/interface command to cgi-bin/luci, related to the getdevicebyif function in /usr/lib/lua/luci/controller/admin/interface.lua in...

Command injection

TP-Link TL-WVR, TL-WAR, TL-ER, and TL-R devices allow remote authenticated users to execute arbitrary commands via shell metacharacters in the iface field of an admin/diagnostic command to cgi-bin/luci, related to the zonegeteffectdevices function in...

CVE-2017-16958

TP-Link TL-WVR, TL-WAR, TL-ER, and TL-R devices allow remote authenticated users to execute arbitrary commands via shell metacharacters in the tbindif field of an admin/bridge command to cgi-bin/luci, related to the getdevicebyif function in /usr/lib/lua/luci/controller/admin/bridge.lua in uhttpd...

CVE-2017-16959

The locale feature in cgi-bin/luci on TP-Link TL-WVR, TL-WAR, TL-ER, and TL-R devices allows remote authenticated users to test for the existence of arbitrary files by making an operation=write;locale=%0d request, and then making an operation=read request with a crafted Accept-Language HTTP heade...

CVE-2017-16960

TP-Link TL-WVR, TL-WAR, TL-ER, and TL-R devices allow remote authenticated users to execute arbitrary commands via shell metacharacters in the tbindif field of an admin/interface command to cgi-bin/luci, related to the getdevicebyif function in /usr/lib/lua/luci/controller/admin/interface.lua in...

Design/Logic Flaw

The locale feature in cgi-bin/luci on TP-Link TL-WVR, TL-WAR, TL-ER, and TL-R devices allows remote authenticated users to test for the existence of arbitrary files by making an operation=write;locale=%0d request, and then making an operation=read request with a crafted Accept-Language HTTP heade...

CVE-2017-16959

The locale feature in cgi-bin/luci on TP-Link TL-WVR, TL-WAR, TL-ER, and TL-R devices allows remote authenticated users to test for the existence of arbitrary files by making an operation=write;locale=%0d request, and then making an operation=read request with a crafted Accept-Language HTTP heade...

CVE-2017-16958

TP-Link TL-WVR, TL-WAR, TL-ER, and TL-R devices allow remote authenticated users to execute arbitrary commands via shell metacharacters in the tbindif field of an admin/bridge command to cgi-bin/luci, related to the getdevicebyif function in /usr/lib/lua/luci/controller/admin/bridge.lua in uhttpd...

CVE-2017-16960

This entry (CVE-2017-16960) concerns TP-Link devices TL-WVR, TL-WAR, TL-ER, and TL-R where remote authenticated users can execute arbitrary commands via shell metacharacters in the t_bindif parameter sent to cgi-bin/luci, related to get_device_byif in /usr/lib/lua/luci/controller/admin/interface....

CVE-2017-16957

CVE-2017-16957 affects TP-Link TL-WVR, TL-WAR, TL-ER and TL-R devices. A remote authenticated attacker can inject shell metacharacters via the iface field in the admin/diagnostic interface (cgi-bin/luci) that calls zone_get_effect_devices in /usr/lib/lua/luci/controller/admin/diagnostic.lua, trig...

VulnCheck KEV: CVE-2016-10176

The NETGEAR WNR2000v5 router allows an administrator to perform sensitive actions by invoking the apply.cgi URL on the web server of the device. This special URL is handled by the embedded web server uhttpd and processed accordingly. The web server also contains another URL, applynoauth.cgi,...

CVE-2016-10176

The NETGEAR WNR2000v5 router allows an administrator to perform sensitive actions by invoking the apply.cgi URL on the web server of the device. This special URL is handled by the embedded web server uhttpd and processed accordingly. The web server also contains another URL, applynoauth.cgi, that...

CVE-2016-10176

The NETGEAR WNR2000v5 router allows an administrator to perform sensitive actions by invoking the apply.cgi URL on the web server of the device. This special URL is handled by the embedded web server uhttpd and processed accordingly. The web server also contains another URL, applynoauth.cgi, that...