CVE-2019-13482
https://notcve.org/view.php?id=CVE-2019-13482
An issue was discovered on D-Link DIR-818LW devices with firmware 2.06betab01. There is a command injection in HNAP1 (exploitable with Authentication) via shell metacharacters in the Type field to SetWanSettings. Se detectó un problema en los dispositivos DIR-818LW con firmware versión 2.06betab01 de D-Link. Se presenta una inyección de comando en HNAP1 (explotable con identificación) por medio de metacaracteres de shell en el campo Type a SetWanSettings. • http://www.securityfocus.com/bid/109131 https://github.com/TeamSeri0us/pocs/blob/master/iot/dlink/dir818-4.pdf • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVE-2019-13481
https://notcve.org/view.php?id=CVE-2019-13481
An issue was discovered on D-Link DIR-818LW devices with firmware 2.06betab01. There is a command injection in HNAP1 (exploitable with Authentication) via shell metacharacters in the MTU field to SetWanSettings. Se detectó un problema en los dispositivos DIR-818LW con firmware versión 2.06betab01 de D-Link. Se presenta una inyección de comando en HNAP1 (explotable con identificación) por medio de metacaracteres de shell en el campo MTU en SetWanSettings. • http://www.securityfocus.com/bid/109131 https://github.com/TeamSeri0us/pocs/blob/master/iot/dlink/dir818-3.pdf • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVE-2019-12787
https://notcve.org/view.php?id=CVE-2019-12787
An issue was discovered on D-Link DIR-818LW devices from 2.05.B03 to 2.06B01 BETA. There is a command injection in HNAP1 SetWanSettings via an XML injection of the value of the Gateway key. Se descubrió un error en los dispositivos D-Link DIR-818LW desde 2.05.B03 hasta 2.06B01 BETA, Hay una inyección de comandos en HNAP1 SetWanSettings a través de una inyección XML de los valores de la clave de Gateway • https://github.com/TeamSeri0us/pocs/blob/master/iot/dlink/dir818-2-protected.pdf • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVE-2019-12786
https://notcve.org/view.php?id=CVE-2019-12786
An issue was discovered on D-Link DIR-818LW devices from 2.05.B03 to 2.06B01 BETA. There is a command injection in HNAP1 SetWanSettings via an XML injection of the value of the IPAddress key. Se descubrió un error en los dispositivos D-Link DIR-818LW desde 2.05.B03 hasta 2.06B01 BETA. Hay una inyección de comandos en HNAP1 SetWanSetting mediante una inyección XML de los valor de la clave IPAddress. • https://github.com/TeamSeri0us/pocs/blob/master/iot/dlink/dir818-protected.pdf • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVE-2018-19987
https://notcve.org/view.php?id=CVE-2018-19987
D-Link DIR-822 Rev.B 202KRb06, DIR-822 Rev.C 3.10B06, DIR-860L Rev.B 2.03.B03, DIR-868L Rev.B 2.05B02, DIR-880L Rev.A 1.20B01_01_i3se_BETA, and DIR-890L Rev.A 1.21B02_BETA devices mishandle IsAccessPoint in /HNAP1/SetAccessPointMode. In the SetAccessPointMode.php source code, the IsAccessPoint parameter is saved in the ShellPath script file without any regex checking. After the script file is executed, the command injection occurs. A vulnerable /HNAP1/SetAccessPointMode XML message could have shell metacharacters in the IsAccessPoint element such as the `telnetd` string. Se descubrió un problema en los dispositivos de D-Link DIR-822 Rev.B 202KRb06, DIR-822 Rev.C 3.10B06, DIR-860L Rev.B 2.03.B03, DIR-868L Rev.B 2.05B02, DIR-880L Rev.A 1.20B01_01_i3se_BETA, and DIR-890L Rev.A 1.21B02_BETA, manejan incorrectamente el parámetro IsAccessPoint en el archivo /HNAP1/SetAccessPointMode. • https://github.com/pr0v3rbs/CVE/tree/master/CVE-2018-19986%20-%2019990 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •