CVE-2022-46641
https://notcve.org/view.php?id=CVE-2022-46641
D-Link DIR-846 A1_FW100A43 was discovered to contain a command injection vulnerability via the lan(0)_dhcps_staticlist parameter in the SetIpMacBindSettings function. • https://github.com/CyberUnicornIoT/IoTvuln/blob/main/d-link/dir-846/D-Link%20dir-846%20SetIpMacBindSettings%20Command%20Injection%20Vulnerability.md https://www.dlink.com/en/security-bulletin • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVE-2020-21016
https://notcve.org/view.php?id=CVE-2020-21016
D-Link DIR-846 devices with firmware 100A35 allow remote attackers to execute arbitrary code as root via HNAP1/control/SetGuestWLanSettings.php. Los dispositivos D-Link DIR-846 con firmware 100A35 permiten a atacantes remotos ejecutar código arbitrario como root a través de HNAP1/control/SetGuestWLanSettings.php. • https://github.com/dahua966/Routers-vuls/blob/master/DIR-846/GuestWLanSetting_RCE.md https://www.dlink.com/en/security-bulletin •
CVE-2021-46319
https://notcve.org/view.php?id=CVE-2021-46319
Remote Code Execution (RCE) vulnerability exists in D-Link Router DIR-846 DIR846A1_FW100A43.bin and DIR846enFW100A53DLA-Retail.bin. Malicious users can use this vulnerability to use "\ " or backticks to bypass the shell metacharacters in the ssid0 or ssid1 parameters to execute arbitrary commands.This vulnerability is due to the fact that CVE-2019-17509 is not fully patched and can be bypassed by using line breaks or backticks on its basis. Se presenta una vulnerabilidad de Ejecución de Código Remota (RCE) en el router D-Link DIR-846 DIR846A1_FW100A43.bin y DIR846enFW100A53DLA-Retail.bin. Los usuarios maliciosos pueden usar esta vulnerabilidad para usar "\ ~" o backticks para omitir los metacaracteres de shell en los parámetros ssid0 o ssid1 para ejecutar comandos arbitrarios.Esta vulnerabilidad es debido a que CVE-2019-17509 no está completamente parcheado y puede ser omitido mediante el uso de saltos de línea o backticks en su base • https://github.com/doudoudedi/DIR-846_Command_Injection/blob/main/DIR-846_Command_Injection1.md https://www.dlink.com/en/security-bulletin • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVE-2021-46315
https://notcve.org/view.php?id=CVE-2021-46315
Remote Command Execution (RCE) vulnerability exists in HNAP1/control/SetWizardConfig.php in D-Link Router DIR-846 DIR846A1_FW100A43.bin and DIR846enFW100A53DLA-Retail.bin. Malicoius users can use this vulnerability to use "\ " or backticks in the shell metacharacters in the ssid0 or ssid1 parameters to cause arbitrary command execution. Since CVE-2019-17510 vulnerability has not been patched and improved www/hnap1/control/setwizardconfig.php, can also use line breaks and backquotes to bypass. Se presenta una vulnerabilidad de Ejecución de Comandos Remota (RCE) en el archivo HNAP1/control/SetWizardConfig.php en el router D-Link DIR-846 DIR846A1_FW100A43.bin y DIR846enFW100A53DLA-Retail.bin. Los usuarios maliciosos pueden usar esta vulnerabilidad para usar "\ ~" o backticks en los metacaracteres del shell en los parámetros ssid0 o ssid1 para causar una ejecución de comandos arbitrarios. • https://github.com/doudoudedi/DIR-846_Command_Injection/blob/main/DIR-846_Command_Injection1.md https://www.dlink.com/en/security-bulletin • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVE-2021-46314
https://notcve.org/view.php?id=CVE-2021-46314
A Remote Command Execution (RCE) vulnerability exists in HNAP1/control/SetNetworkTomographySettings.php of D-Link Router DIR-846 DIR846A1_FW100A43.bin and DIR846enFW100A53DLA-Retail.bin because backticks can be used for command injection when judging whether it is a reasonable domain name. Se presenta una vulnerabilidad de Ejecución de Comandos Remota (RCE) en el archivo HNAP1/control/SetNetworkTomographySettings.php del router D-Link DIR-846 DIR846A1_FW100A43.bin y DIR846enFW100A53DLA-Retail.bin porque pueden usarse los signos de retroceso para la inyección de comandos cuando es juzgado si es un nombre de dominio razonable • https://github.com/doudoudedi/DIR-846_Command_Injection/blob/main/DIR-846_Command_Injection1.md https://www.dlink.com/en/security-bulletin • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •