Vulnerability Details CVE-2019-6487
TP-Link WDR Series devices through firmware v3 (such as TL-WDR5620 V3.0) are affected by command injection (after login) leading to remote code execution, because shell metacharacters can be included in the weather get_weather_observe citycode field.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.249
EPSS Ranking 95.9%
CVSS Severity
CVSS v3 Score 8.8
CVSS v2 Score 6.5
References
Products affected by CVE-2019-6487
-
cpe:2.3:h:tp-link:tl-wdr3500:-
-
cpe:2.3:h:tp-link:tl-wdr3600:-
-
cpe:2.3:h:tp-link:tl-wdr4300:-
-
cpe:2.3:h:tp-link:tl-wdr4900:-
-
cpe:2.3:h:tp-link:tl-wdr5620:-
-
cpe:2.3:o:tp-link:tl-wdr3500_firmware:1.0
-
cpe:2.3:o:tp-link:tl-wdr3500_firmware:1.2
-
cpe:2.3:o:tp-link:tl-wdr3500_firmware:1.3
-
cpe:2.3:o:tp-link:tl-wdr3600_firmware:1.1
-
cpe:2.3:o:tp-link:tl-wdr3600_firmware:1.2
-
cpe:2.3:o:tp-link:tl-wdr3600_firmware:1.3
-
cpe:2.3:o:tp-link:tl-wdr3600_firmware:1.4
-
cpe:2.3:o:tp-link:tl-wdr3600_firmware:1.5
-
cpe:2.3:o:tp-link:tl-wdr4300_firmware:-
-
cpe:2.3:o:tp-link:tl-wdr4300_firmware:1.0
-
cpe:2.3:o:tp-link:tl-wdr4300_firmware:1.1
-
cpe:2.3:o:tp-link:tl-wdr4300_firmware:1.2
-
cpe:2.3:o:tp-link:tl-wdr4300_firmware:1.3
-
cpe:2.3:o:tp-link:tl-wdr4300_firmware:1.4
-
cpe:2.3:o:tp-link:tl-wdr4300_firmware:1.5
-
cpe:2.3:o:tp-link:tl-wdr4300_firmware:1.6
-
cpe:2.3:o:tp-link:tl-wdr4300_firmware:1.7
-
cpe:2.3:o:tp-link:tl-wdr4900_firmware:1.0
-
cpe:2.3:o:tp-link:tl-wdr4900_firmware:3.0
-
cpe:2.3:o:tp-link:tl-wdr5620_firmware:1.0
-
cpe:2.3:o:tp-link:tl-wdr5620_firmware:2.0
-
cpe:2.3:o:tp-link:tl-wdr5620_firmware:3.0