CVE-2018-11481

2018-05-3021:00:00

mitre

www.cve.org

9 High

AI Score

Confidence

High

0.005 Low

EPSS

Percentile

75.4%

JSON

TP-LINK IPC TL-IPC223(P)-6, TL-IPC323K-D, TL-IPC325(KP)-*, and TL-IPC40A-4 devices allow authenticated remote code execution via crafted JSON data because /usr/lib/lua/luci/torchlight/validator.lua does not block various punctuation characters.

References

github.com/yough3rt/IOT-pwn-for-fun/blob/master/TP-LINK-websys-Authenticated-RCE