CVE-2019-6487
Severity CVSS v4.0:
Pending analysis
Type:
CWE-78
OS Command Injections
Publication date:
18/01/2019
Last modified:
24/08/2020
Description
TP-Link WDR Series devices through firmware v3 (such as TL-WDR5620 V3.0) are affected by command injection (after login) leading to remote code execution, because shell metacharacters can be included in the weather get_weather_observe citycode field.
Impact
Base Score 3.x
8.80
Severity 3.x
HIGH
Base Score 2.0
6.50
Severity 2.0
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:tp-link:tl-wdr5620_firmware:*:*:*:*:*:*:*:* | 3.0 (including) | |
| cpe:2.3:h:tp-link:tl-wdr5620:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:tp-link:tl-wdr3500_firmware:*:*:*:*:*:*:*:* | 3.0 (including) | |
| cpe:2.3:h:tp-link:tl-wdr3500:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:tp-link:tl-wdr3600_firmware:*:*:*:*:*:*:*:* | 3.0 (including) | |
| cpe:2.3:h:tp-link:tl-wdr3600:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:tp-link:tl-wdr4300_firmware:*:*:*:*:*:*:*:* | 3.0 (including) | |
| cpe:2.3:h:tp-link:tl-wdr4300:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:tp-link:tl-wdr4900_firmware:*:*:*:*:*:*:*:* | 3.0 (including) | |
| cpe:2.3:h:tp-link:tl-wdr4900:-:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page