9

CVE-2020-24297

Exploit
httpd on TP-Link TL-WPA4220 devices (versions 2 through 4) allows remote authenticated users to execute arbitrary OS commands by sending crafted POST requests to the endpoint /admin/powerline. Fixed version: TL-WPA4220(EU)_V4_201023
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Tp-linkTl-wpa4220 Firmware
   Tp-linkTl-wpa4220 Versionv2
Tp-linkTl-wpa4220 Firmware
   Tp-linkTl-wpa4220 Versionv3
Tp-linkTl-wpa4220 Firmware Version < tl-wpa4220\(eu\)_v4_201023
   Tp-linkTl-wpa4220 Versionv4
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 3.61% 0.88
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 8.8 2.8 5.9
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 9 8 10
AV:N/AC:L/Au:S/C:C/I:C/A:C
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

https://the-hyperbolic.com/posts/vulnerabilities-in-tlwpa4220/
Third Party Advisory
Exploit
https://www.tp-link.com/us/support/download/
Vendor Advisory
Product