Command Injection Vulnerability in TPLINK TL-ER5120G Router
CVE-2023-43137

8.8HIGH

Key Information:

Vendor: Tp-link
Status: Tl-er5120g Firmware
Vendor: CVE Published:; 20 September 2023

Summary

The TPLINK TL-ER5120G router is susceptible to a command injection vulnerability that arises when an authenticated user adds Access Control List (ACL) rules. Attackers can exploit this flaw by manipulating the rule name parameter, which contains injection points, thereby allowing them to execute arbitrary commands on the device. This vulnerability poses significant risks to the integrity and security of the device's configuration, potentially leading to unauthorized access or a complete compromise of the router.

References

https://github.com/7R4C4R/CVE/blob/main/TPLINK-TL-ER5120G...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 20, 2023
Vulnerability Reserved
Sep 18, 2023