The response coming from TP-Link Archer MR200 v5.2, C20 v6, TL-WR850N v3, and TL-WR845N v4 for any request is getting executed by the JavaScript function like eval directly without any check. Attackers can exploit this vulnerability via a Man-in-the-Middle (MitM) attack to execute JavaScript code on the router's admin web portal without the user's permission or knowledge.
Credits
Swaroop Dora, Deven Lunkad, Ashutosh Kumar, and S. Venkatesan from IoT Security Research Lab, Indian Institute of Information Technology, Allahabad
