Full title: TP-LINK Cloud Cameras NCXXX SetEncryptKey Command Injection Vulnerability 
Category: web applications
Platform: hardware
TP-LINK Cloud Cameras including products NC260 and NC450 suffer from a command injection vulnerability. The issue is located in the httpSetEncryptKeyRpm method (handler for /setEncryptKey.fcgi) of the ipcamera binary, where the user-controlled EncryptKey parameter is used directly as part of a command line to be executed as root without any input sanitization.

# 0day.today @ http://0day.today/