Vulnerability Details CVE-2018-11481
TP-LINK IPC TL-IPC223(P)-6, TL-IPC323K-D, TL-IPC325(KP)-*, and TL-IPC40A-4 devices allow authenticated remote code execution via crafted JSON data because /usr/lib/lua/luci/torchlight/validator.lua does not block various punctuation characters.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.018
EPSS Ranking 81.8%
CVSS Severity
CVSS v3 Score 8.8
CVSS v2 Score 6.5
References
Products affected by CVE-2018-11481
-
cpe:2.3:h:tp-link:ipc_tl-ipc223(p)-6:-
-
cpe:2.3:h:tp-link:tl-ipc323k-d:-
-
cpe:2.3:h:tp-link:tl-ipc325(kp):-
-
cpe:2.3:h:tp-link:tl-ipc40a-4:-
-
cpe:2.3:o:tp-link:ipc_tl-ipc223(p)-6_firmware:*
-
cpe:2.3:o:tp-link:tl-ipc323k-d_firmware:*
-
cpe:2.3:o:tp-link:tl-ipc325(kp)_firmware:*
-
cpe:2.3:o:tp-link:tl-ipc40a-4_firmware:*