2 results (0.044 seconds)

CVSS: 9.8EPSS: 4%CPEs: 2EXPL: 1

An issue was discovered in D-Link DIR816_A1_FW101CNB04 750m11ac wireless router, The HTTP request parameter is used in the handler function of /goform/form2userconfig.cgi route, which can construct the user name string to delete the user function. This can lead to command injection through shell metacharacters. Se ha descubierto un problema en el router inalámbrico D-Link DIR816_A1_FW101CNB04 750m11ac, El parámetro de solicitud HTTP se utiliza en la función de manejador de la ruta /goform/form2userconfig.cgi, que puede construir la cadena de nombre de usuario para eliminar la función de usuario. Esto puede conducir a la inyección de comandos a través de metacaracteres del shell • https://github.com/doudoudedi/main-DIR-816_A1_Command-injection https://github.com/doudoudedi/main-DIR-816_A1_Command-injection/blob/main/injection_A1.md https://www.dlink.com/en/security-bulletin • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •

CVSS: 7.5EPSS: 0%CPEs: 10EXPL: 2

D-Link routers with the mydlink feature have some web interfaces without authentication requirements. An attacker can remotely obtain users' DNS query logs and login logs. Vulnerable targets include but are not limited to the latest firmware versions of DIR-817LW (A1-1.04), DIR-816L (B1-2.06), DIR-816 (B1-2.06?), DIR-850L (A1-1.09), and DIR-868L (A1-1.10). Los routers D-Link con la funcionalidad mydlink presentan algunas interfaces web sin requerimientos de autenticación. • https://github.com/xw77cve/CVE-2019-7642 https://github.com/xw77cve/CVE-2019-7642/blob/master/README.md • CWE-306: Missing Authentication for Critical Function •