Vulnerabilites related to d-link - dir-822_firmware
Vulnerability from fkie_nvd
Published
2019-05-13 14:29
Modified
2024-11-21 03:58
Severity ?
Summary
In the /HNAP1/SetQoSSettings message, the uplink parameter is vulnerable, and the vulnerability affects D-Link DIR-822 Rev.B 202KRb06 and DIR-822 Rev.C 3.10B06 devices. In the SetQoSSettings.php source code, the uplink parameter is saved in the /bwc/entry:1/bandwidth and /bwc/entry:2/bandwidth internal configuration memory without any regex checking. And in the bwc_tc_spq_start, bwc_tc_wfq_start, and bwc_tc_adb_start functions of the bwcsvcs.php source code, the data in /bwc/entry:1/bandwidth and /bwc/entry:2/bandwidth is used with the tc command without any regex checking. A vulnerable /HNAP1/SetQoSSettings XML message could have shell metacharacters in the uplink element such as the `telnetd` string.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/pr0v3rbs/CVE/tree/master/CVE-2018-19986%20-%2019990 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/pr0v3rbs/CVE/tree/master/CVE-2018-19986%20-%2019990 | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| d-link | dir-822_firmware | 202krb06 | |
| dlink | dir-822_firmware | 3.10b06 | |
| dlink | dir-822 | - |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:d-link:dir-822_firmware:202krb06:*:*:*:*:*:*:*", matchCriteriaId: "5224FC0A-44C6-4C4D-8EEC-BBA7BA13DF3D", vulnerable: true, }, { criteria: "cpe:2.3:o:dlink:dir-822_firmware:3.10b06:*:*:*:*:*:*:*", matchCriteriaId: "DB427709-D236-4CA6-851C-95323D53DBEB", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:dlink:dir-822:-:*:*:*:*:*:*:*", matchCriteriaId: "B3894F0E-37F8-4A89-87AC-1DB524D4AE04", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, ], cveTags: [], descriptions: [ { lang: "en", value: "In the /HNAP1/SetQoSSettings message, the uplink parameter is vulnerable, and the vulnerability affects D-Link DIR-822 Rev.B 202KRb06 and DIR-822 Rev.C 3.10B06 devices. In the SetQoSSettings.php source code, the uplink parameter is saved in the /bwc/entry:1/bandwidth and /bwc/entry:2/bandwidth internal configuration memory without any regex checking. And in the bwc_tc_spq_start, bwc_tc_wfq_start, and bwc_tc_adb_start functions of the bwcsvcs.php source code, the data in /bwc/entry:1/bandwidth and /bwc/entry:2/bandwidth is used with the tc command without any regex checking. A vulnerable /HNAP1/SetQoSSettings XML message could have shell metacharacters in the uplink element such as the `telnetd` string.", }, { lang: "es", value: "En el mensaje HNAP1/SetQoSSettings, el parámetro uplink es vulnerable y la vulnerabilidad afecta a los dispositivos D-Link DIR-822 Rev.B 202KRb06 y DIR-822 Rev.C 3.10B06. En el código fuente del archivo SetQoSSettings.php, el parámetro uplink se guarda en la memoria de configuración interna del /bwc/entry:1/bandwitch y /bwc/entry:2/bandwitch sin ninguna comprobación regex. Y en las funciones bwc_tc_spq_start, bwc_tc_wfq_start y bwc_tc_adb_start del código fuente de bwcsvcs.php, los datos en /bwc/entry:1/bandwidth y /bwc/entry:2/bandwidth se usan para el comando tc. Un mensaje XML vulnerable /HNAP1/ SetQoSSettings podría tener metacaracteres shell en el elemento uplink, como la cadena `telnetd`.", }, ], id: "CVE-2018-19989", lastModified: "2024-11-21T03:58:57.110", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "HIGH", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "COMPLETE", baseScore: 10, confidentialityImpact: "COMPLETE", integrityImpact: "COMPLETE", vectorString: "AV:N/AC:L/Au:N/C:C/I:C/A:C", version: "2.0", }, exploitabilityScore: 10, impactScore: 10, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, exploitabilityScore: 3.9, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2019-05-13T14:29:01.330", references: [ { source: "cve@mitre.org", tags: [ "Exploit", "Third Party Advisory", ], url: "https://github.com/pr0v3rbs/CVE/tree/master/CVE-2018-19986%20-%2019990", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", ], url: "https://github.com/pr0v3rbs/CVE/tree/master/CVE-2018-19986%20-%2019990", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-78", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2019-05-13 14:29
Modified
2024-11-21 03:58
Severity ?
Summary
In the /HNAP1/SetWiFiVerifyAlpha message, the WPSPIN parameter is vulnerable, and the vulnerability affects D-Link DIR-822 B1 202KRb06 devices. In the SetWiFiVerifyAlpha.php source code, the WPSPIN parameter is saved in the $rphyinf1."/media/wps/enrollee/pin" and $rphyinf2."/media/wps/enrollee/pin" and $rphyinf3."/media/wps/enrollee/pin" internal configuration memory without any regex checking. And in the do_wps function of the wps.php source code, the data in $rphyinf3."/media/wps/enrollee/pin" is used with the wpatalk command without any regex checking. A vulnerable /HNAP1/SetWiFiVerifyAlpha XML message could have shell metacharacters in the WPSPIN element such as the `telnetd` string.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/pr0v3rbs/CVE/tree/master/CVE-2018-19986%20-%2019990 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/pr0v3rbs/CVE/tree/master/CVE-2018-19986%20-%2019990 | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| d-link | dir-822_firmware | 202krb06 | |
| dlink | dir-822 | - |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:d-link:dir-822_firmware:202krb06:*:*:*:*:*:*:*", matchCriteriaId: "5224FC0A-44C6-4C4D-8EEC-BBA7BA13DF3D", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:dlink:dir-822:-:*:*:*:*:*:*:*", matchCriteriaId: "B3894F0E-37F8-4A89-87AC-1DB524D4AE04", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, ], cveTags: [], descriptions: [ { lang: "en", value: "In the /HNAP1/SetWiFiVerifyAlpha message, the WPSPIN parameter is vulnerable, and the vulnerability affects D-Link DIR-822 B1 202KRb06 devices. In the SetWiFiVerifyAlpha.php source code, the WPSPIN parameter is saved in the $rphyinf1.\"/media/wps/enrollee/pin\" and $rphyinf2.\"/media/wps/enrollee/pin\" and $rphyinf3.\"/media/wps/enrollee/pin\" internal configuration memory without any regex checking. And in the do_wps function of the wps.php source code, the data in $rphyinf3.\"/media/wps/enrollee/pin\" is used with the wpatalk command without any regex checking. A vulnerable /HNAP1/SetWiFiVerifyAlpha XML message could have shell metacharacters in the WPSPIN element such as the `telnetd` string.", }, { lang: "es", value: "En el mensaje HNAP1/SetWiFiVerifyAlpha, el parámetro WPSPIN es vulnerable y la vulnerabilidad afecta a los dispositivos D-Link DIR-822 B1 202KRb06. En el código fuente del archivo SetWiFiVerifyAlpha.php, el parámetro WPSPIN se guarda en la memoria de configuración interna de $rphyinf1.\"/Media/wps/enrollee/pin\" y $rphyinf2.\"/ Media/wps/enrollee/pin\" y $rphyinf3.\"/Media/wps/enrollee/pin\" sin ninguna comprobación regex. Y en la función do_wps del código fuente de wps.php, los datos en $rphyinf3.\"/ Media/wps/enrollee/pin\" se usan con el comando wpatalk sin ninguna comprobación regex. Un mensaje XML vulnerable HNAP1/SetWiFiVerifyAlpha podría tener metacaracteres shell en el elemento WPSPIN como la cadena `telnetd`.", }, ], id: "CVE-2018-19990", lastModified: "2024-11-21T03:58:57.253", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "HIGH", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "COMPLETE", baseScore: 10, confidentialityImpact: "COMPLETE", integrityImpact: "COMPLETE", vectorString: "AV:N/AC:L/Au:N/C:C/I:C/A:C", version: "2.0", }, exploitabilityScore: 10, impactScore: 10, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, exploitabilityScore: 3.9, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2019-05-13T14:29:01.393", references: [ { source: "cve@mitre.org", tags: [ "Exploit", "Third Party Advisory", ], url: "https://github.com/pr0v3rbs/CVE/tree/master/CVE-2018-19986%20-%2019990", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", ], url: "https://github.com/pr0v3rbs/CVE/tree/master/CVE-2018-19986%20-%2019990", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-78", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2019-05-13 14:29
Modified
2024-11-21 03:58
Severity ?
Summary
D-Link DIR-822 Rev.B 202KRb06, DIR-822 Rev.C 3.10B06, DIR-860L Rev.B 2.03.B03, DIR-868L Rev.B 2.05B02, DIR-880L Rev.A 1.20B01_01_i3se_BETA, and DIR-890L Rev.A 1.21B02_BETA devices mishandle IsAccessPoint in /HNAP1/SetAccessPointMode. In the SetAccessPointMode.php source code, the IsAccessPoint parameter is saved in the ShellPath script file without any regex checking. After the script file is executed, the command injection occurs. A vulnerable /HNAP1/SetAccessPointMode XML message could have shell metacharacters in the IsAccessPoint element such as the `telnetd` string.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/pr0v3rbs/CVE/tree/master/CVE-2018-19986%20-%2019990 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/pr0v3rbs/CVE/tree/master/CVE-2018-19986%20-%2019990 | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| d-link | dir-818lw_firmware | 2.05.b03 | |
| dlink | dir-818lw | - | |
| d-link | dir-822_firmware | 202krb06 | |
| dlink | dir-822_firmware | 3.10b06 | |
| dlink | dir-822 | - | |
| d-link | dir-860l_firmware | 2.03.b03 | |
| dlink | dir-860l | - | |
| d-link | dir-868l_firmware | 2.05b02 | |
| dlink | dir-868l | - | |
| d-link | dir-880l_firmware | 1.20b01_01_i3se | |
| dlink | dir-880l | - | |
| d-link | dir-890l\/r_firmware | 1.21b02 | |
| dlink | dir-890l\/r | - |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:d-link:dir-818lw_firmware:2.05.b03:*:*:*:*:*:*:*", matchCriteriaId: "1A1B5838-62C0-4836-861C-8E99DD280154", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:dlink:dir-818lw:-:*:*:*:*:*:*:*", matchCriteriaId: "4725FC82-72B5-4EAB-91C6-D32194C5D4F9", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:d-link:dir-822_firmware:202krb06:*:*:*:*:*:*:*", matchCriteriaId: "5224FC0A-44C6-4C4D-8EEC-BBA7BA13DF3D", vulnerable: true, }, { criteria: "cpe:2.3:o:dlink:dir-822_firmware:3.10b06:*:*:*:*:*:*:*", matchCriteriaId: "DB427709-D236-4CA6-851C-95323D53DBEB", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:dlink:dir-822:-:*:*:*:*:*:*:*", matchCriteriaId: "B3894F0E-37F8-4A89-87AC-1DB524D4AE04", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:d-link:dir-860l_firmware:2.03.b03:*:*:*:*:*:*:*", matchCriteriaId: "54EA5944-7DCB-4D20-894F-D5A291684EAF", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:dlink:dir-860l:-:*:*:*:*:*:*:*", matchCriteriaId: "CCDB9720-8F5A-4F02-A436-920CDAC15D69", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:d-link:dir-868l_firmware:2.05b02:*:*:*:*:*:*:*", matchCriteriaId: "21680BA3-2C38-4E14-97F4-480F5B6EC3FB", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:dlink:dir-868l:-:*:*:*:*:*:*:*", matchCriteriaId: "33B501D4-BDDD-485E-A5A3-8AA8D5E46061", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:d-link:dir-880l_firmware:1.20b01_01_i3se:beta:*:*:*:*:*:*", matchCriteriaId: "CFE416FB-A5D4-4383-B1E5-5DB8F93A3233", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:dlink:dir-880l:-:*:*:*:*:*:*:*", matchCriteriaId: "CC772491-6371-4712-B358-E74D9C5062FD", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:d-link:dir-890l\\/r_firmware:1.21b02:beta:*:*:*:*:*:*", matchCriteriaId: "41488604-8598-4929-9F2E-049CBE7B30F1", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:dlink:dir-890l\\/r:-:*:*:*:*:*:*:*", matchCriteriaId: "8F65AC17-E770-4711-9D81-D7D76D5D66BF", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, ], cveTags: [], descriptions: [ { lang: "en", value: "D-Link DIR-822 Rev.B 202KRb06, DIR-822 Rev.C 3.10B06, DIR-860L Rev.B 2.03.B03, DIR-868L Rev.B 2.05B02, DIR-880L Rev.A 1.20B01_01_i3se_BETA, and DIR-890L Rev.A 1.21B02_BETA devices mishandle IsAccessPoint in /HNAP1/SetAccessPointMode. In the SetAccessPointMode.php source code, the IsAccessPoint parameter is saved in the ShellPath script file without any regex checking. After the script file is executed, the command injection occurs. A vulnerable /HNAP1/SetAccessPointMode XML message could have shell metacharacters in the IsAccessPoint element such as the `telnetd` string.", }, { lang: "es", value: "Se descubrió un problema en los dispositivos de D-Link DIR-822 Rev.B 202KRb06, DIR-822 Rev.C 3.10B06, DIR-860L Rev.B 2.03.B03, DIR-868L Rev.B 2.05B02, DIR-880L Rev.A 1.20B01_01_i3se_BETA, and DIR-890L Rev.A 1.21B02_BETA, manejan incorrectamente el parámetro IsAccessPoint en el archivo /HNAP1/SetAccessPointMode. En el código fuente SetAccessPointMode.php, el parámetro IsAccessPoint es almacenado en el archivo de script ShellPath sin ninguna comprobación regex. después que se ejecute el archivo de script, se ocurre la inyección de comandos. Un mensaje XML vulnerable /HNAP1/SetAccessPointMode podría tener metacaracteres shell en el elemento IsAccessPoint, como la cadena `telnetd`.", }, ], id: "CVE-2018-19987", lastModified: "2024-11-21T03:58:56.823", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "HIGH", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "COMPLETE", baseScore: 10, confidentialityImpact: "COMPLETE", integrityImpact: "COMPLETE", vectorString: "AV:N/AC:L/Au:N/C:C/I:C/A:C", version: "2.0", }, exploitabilityScore: 10, impactScore: 10, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, exploitabilityScore: 3.9, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2019-05-13T14:29:01.207", references: [ { source: "cve@mitre.org", tags: [ "Exploit", "Third Party Advisory", ], url: "https://github.com/pr0v3rbs/CVE/tree/master/CVE-2018-19986%20-%2019990", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", ], url: "https://github.com/pr0v3rbs/CVE/tree/master/CVE-2018-19986%20-%2019990", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-78", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2019-05-13 14:29
Modified
2024-11-21 03:58
Severity ?
Summary
In the /HNAP1/SetRouterSettings message, the RemotePort parameter is vulnerable, and the vulnerability affects D-Link DIR-818LW Rev.A 2.05.B03 and DIR-822 B1 202KRb06 devices. In the SetRouterSettings.php source code, the RemotePort parameter is saved in the $path_inf_wan1."/web" internal configuration memory without any regex checking. And in the IPTWAN_build_command function of the iptwan.php source code, the data in $path_inf_wan1."/web" is used with the iptables command without any regex checking. A vulnerable /HNAP1/SetRouterSettings XML message could have shell metacharacters in the RemotePort element such as the `telnetd` string.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/pr0v3rbs/CVE/tree/master/CVE-2018-19986%20-%2019990 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/pr0v3rbs/CVE/tree/master/CVE-2018-19986%20-%2019990 | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| d-link | dir-818lw_firmware | 2.05.b03 | |
| dlink | dir-818lw | - | |
| d-link | dir-822_firmware | 202krb06 | |
| dlink | dir-822 | - |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:d-link:dir-818lw_firmware:2.05.b03:*:*:*:*:*:*:*", matchCriteriaId: "1A1B5838-62C0-4836-861C-8E99DD280154", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:dlink:dir-818lw:-:*:*:*:*:*:*:*", matchCriteriaId: "4725FC82-72B5-4EAB-91C6-D32194C5D4F9", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:d-link:dir-822_firmware:202krb06:*:*:*:*:*:*:*", matchCriteriaId: "5224FC0A-44C6-4C4D-8EEC-BBA7BA13DF3D", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:dlink:dir-822:-:*:*:*:*:*:*:*", matchCriteriaId: "B3894F0E-37F8-4A89-87AC-1DB524D4AE04", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, ], cveTags: [], descriptions: [ { lang: "en", value: "In the /HNAP1/SetRouterSettings message, the RemotePort parameter is vulnerable, and the vulnerability affects D-Link DIR-818LW Rev.A 2.05.B03 and DIR-822 B1 202KRb06 devices. In the SetRouterSettings.php source code, the RemotePort parameter is saved in the $path_inf_wan1.\"/web\" internal configuration memory without any regex checking. And in the IPTWAN_build_command function of the iptwan.php source code, the data in $path_inf_wan1.\"/web\" is used with the iptables command without any regex checking. A vulnerable /HNAP1/SetRouterSettings XML message could have shell metacharacters in the RemotePort element such as the `telnetd` string.", }, { lang: "es", value: "En el mensaje /HNAP1/SetRouterSettings, el parámetro RemotePort es vulnerable y la vulnerabilidad afecta a los dispositivos D-Link DIR-818LW Rev.A 2.05.B03 y DIR-822 B1 202KRb06. En el código fuente del archivo SetRouterSettings.php, el parámetro RemotePort es guardado en la memoria de la configuración interna de $path_inf_wan1.\"/web\" sin ninguna comprobación regex. Y en la función IPTWAN_build_command del código fuente iptwan.php, los datos en $ path_inf_wan1. \"/ Web\" se usa con el comando iptables sin ninguna comprobación regex. Un mensaje XML vulnerable/HNAP1/SetRouterSettings podría tener metacaracteres shell en el elemento RemotePort como la cadena \"telnetd\".", }, ], id: "CVE-2018-19986", lastModified: "2024-11-21T03:58:56.683", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "HIGH", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "COMPLETE", baseScore: 10, confidentialityImpact: "COMPLETE", integrityImpact: "COMPLETE", vectorString: "AV:N/AC:L/Au:N/C:C/I:C/A:C", version: "2.0", }, exploitabilityScore: 10, impactScore: 10, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, exploitabilityScore: 3.9, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2019-05-13T14:29:01.143", references: [ { source: "cve@mitre.org", tags: [ "Exploit", "Third Party Advisory", ], url: "https://github.com/pr0v3rbs/CVE/tree/master/CVE-2018-19986%20-%2019990", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", ], url: "https://github.com/pr0v3rbs/CVE/tree/master/CVE-2018-19986%20-%2019990", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-78", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2020-08-18 17:15
Modified
2024-11-21 04:46
Severity ?
Summary
D-Link DIR-822 Rev.Bx devices with firmware v.202KRb06 and older allow a buffer overflow via long MacAddress data in a /HNAP1/SetClientInfo HNAP protocol message, which is mishandled in /usr/sbin/udhcpd during reading of the /var/servd/LAN-1-udhcpd.conf file.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/pr0v3rbs/CVE/tree/master/CVE-2019-6258 | Exploit, Third Party Advisory | |
| cve@mitre.org | https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10175 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/pr0v3rbs/CVE/tree/master/CVE-2019-6258 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10175 | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| d-link | dir-822_firmware | * | |
| dlink | dir-822 | - |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:d-link:dir-822_firmware:*:*:*:*:*:*:*:*", matchCriteriaId: "94042DE6-E547-4DDC-ABA6-DDFB57B5B2FE", versionEndIncluding: "2.02krb06", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:dlink:dir-822:-:*:*:*:*:*:*:*", matchCriteriaId: "B3894F0E-37F8-4A89-87AC-1DB524D4AE04", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, ], cveTags: [], descriptions: [ { lang: "en", value: "D-Link DIR-822 Rev.Bx devices with firmware v.202KRb06 and older allow a buffer overflow via long MacAddress data in a /HNAP1/SetClientInfo HNAP protocol message, which is mishandled in /usr/sbin/udhcpd during reading of the /var/servd/LAN-1-udhcpd.conf file.", }, { lang: "es", value: "Los dispositivos D-Link DIR-822 Rev.Bx con versión de firmware v.202KRb06 y anteriores, permiten un desbordamiento del búfer por medio de datos largos de MacAddress en un mensaje de protocolo HNAP /HNAP1/SetClientInfo, que es manejado inapropiadamente en /usr/sbin/udhcpd durante la lectura del archivo /var/servd/LAN-1-udhcpd.conf.", }, ], id: "CVE-2019-6258", lastModified: "2024-11-21T04:46:19.340", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "HIGH", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 7.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 10, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2020-08-18T17:15:11.283", references: [ { source: "cve@mitre.org", tags: [ "Exploit", "Third Party Advisory", ], url: "https://github.com/pr0v3rbs/CVE/tree/master/CVE-2019-6258", }, { source: "cve@mitre.org", tags: [ "Patch", "Vendor Advisory", ], url: "https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10175", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", ], url: "https://github.com/pr0v3rbs/CVE/tree/master/CVE-2019-6258", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Vendor Advisory", ], url: "https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10175", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-120", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
cve-2018-19989
Vulnerability from cvelistv5
Published
2019-05-13 13:25
Modified
2024-08-05 11:51
Severity ?
EPSS score ?
Summary
In the /HNAP1/SetQoSSettings message, the uplink parameter is vulnerable, and the vulnerability affects D-Link DIR-822 Rev.B 202KRb06 and DIR-822 Rev.C 3.10B06 devices. In the SetQoSSettings.php source code, the uplink parameter is saved in the /bwc/entry:1/bandwidth and /bwc/entry:2/bandwidth internal configuration memory without any regex checking. And in the bwc_tc_spq_start, bwc_tc_wfq_start, and bwc_tc_adb_start functions of the bwcsvcs.php source code, the data in /bwc/entry:1/bandwidth and /bwc/entry:2/bandwidth is used with the tc command without any regex checking. A vulnerable /HNAP1/SetQoSSettings XML message could have shell metacharacters in the uplink element such as the `telnetd` string.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/pr0v3rbs/CVE/tree/master/CVE-2018-19986%20-%2019990 | x_refsource_MISC |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T11:51:18.165Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/pr0v3rbs/CVE/tree/master/CVE-2018-19986%20-%2019990", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "In the /HNAP1/SetQoSSettings message, the uplink parameter is vulnerable, and the vulnerability affects D-Link DIR-822 Rev.B 202KRb06 and DIR-822 Rev.C 3.10B06 devices. In the SetQoSSettings.php source code, the uplink parameter is saved in the /bwc/entry:1/bandwidth and /bwc/entry:2/bandwidth internal configuration memory without any regex checking. And in the bwc_tc_spq_start, bwc_tc_wfq_start, and bwc_tc_adb_start functions of the bwcsvcs.php source code, the data in /bwc/entry:1/bandwidth and /bwc/entry:2/bandwidth is used with the tc command without any regex checking. A vulnerable /HNAP1/SetQoSSettings XML message could have shell metacharacters in the uplink element such as the `telnetd` string.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2019-05-13T13:25:14", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://github.com/pr0v3rbs/CVE/tree/master/CVE-2018-19986%20-%2019990", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2018-19989", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "In the /HNAP1/SetQoSSettings message, the uplink parameter is vulnerable, and the vulnerability affects D-Link DIR-822 Rev.B 202KRb06 and DIR-822 Rev.C 3.10B06 devices. In the SetQoSSettings.php source code, the uplink parameter is saved in the /bwc/entry:1/bandwidth and /bwc/entry:2/bandwidth internal configuration memory without any regex checking. And in the bwc_tc_spq_start, bwc_tc_wfq_start, and bwc_tc_adb_start functions of the bwcsvcs.php source code, the data in /bwc/entry:1/bandwidth and /bwc/entry:2/bandwidth is used with the tc command without any regex checking. A vulnerable /HNAP1/SetQoSSettings XML message could have shell metacharacters in the uplink element such as the `telnetd` string.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://github.com/pr0v3rbs/CVE/tree/master/CVE-2018-19986%20-%2019990", refsource: "MISC", url: "https://github.com/pr0v3rbs/CVE/tree/master/CVE-2018-19986%20-%2019990", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2018-19989", datePublished: "2019-05-13T13:25:14", dateReserved: "2018-12-09T00:00:00", dateUpdated: "2024-08-05T11:51:18.165Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2019-6258
Vulnerability from cvelistv5
Published
2020-08-18 16:48
Modified
2024-08-04 20:16
Severity ?
EPSS score ?
Summary
D-Link DIR-822 Rev.Bx devices with firmware v.202KRb06 and older allow a buffer overflow via long MacAddress data in a /HNAP1/SetClientInfo HNAP protocol message, which is mishandled in /usr/sbin/udhcpd during reading of the /var/servd/LAN-1-udhcpd.conf file.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/pr0v3rbs/CVE/tree/master/CVE-2019-6258 | x_refsource_MISC | |
| https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10175 | x_refsource_CONFIRM |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T20:16:24.697Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/pr0v3rbs/CVE/tree/master/CVE-2019-6258", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10175", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "D-Link DIR-822 Rev.Bx devices with firmware v.202KRb06 and older allow a buffer overflow via long MacAddress data in a /HNAP1/SetClientInfo HNAP protocol message, which is mishandled in /usr/sbin/udhcpd during reading of the /var/servd/LAN-1-udhcpd.conf file.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2020-08-18T16:48:40", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://github.com/pr0v3rbs/CVE/tree/master/CVE-2019-6258", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10175", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2019-6258", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "D-Link DIR-822 Rev.Bx devices with firmware v.202KRb06 and older allow a buffer overflow via long MacAddress data in a /HNAP1/SetClientInfo HNAP protocol message, which is mishandled in /usr/sbin/udhcpd during reading of the /var/servd/LAN-1-udhcpd.conf file.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://github.com/pr0v3rbs/CVE/tree/master/CVE-2019-6258", refsource: "MISC", url: "https://github.com/pr0v3rbs/CVE/tree/master/CVE-2019-6258", }, { name: "https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10175", refsource: "CONFIRM", url: "https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10175", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2019-6258", datePublished: "2020-08-18T16:48:40", dateReserved: "2019-01-14T00:00:00", dateUpdated: "2024-08-04T20:16:24.697Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2018-19987
Vulnerability from cvelistv5
Published
2019-05-13 13:23
Modified
2024-08-05 11:51
Severity ?
EPSS score ?
Summary
D-Link DIR-822 Rev.B 202KRb06, DIR-822 Rev.C 3.10B06, DIR-860L Rev.B 2.03.B03, DIR-868L Rev.B 2.05B02, DIR-880L Rev.A 1.20B01_01_i3se_BETA, and DIR-890L Rev.A 1.21B02_BETA devices mishandle IsAccessPoint in /HNAP1/SetAccessPointMode. In the SetAccessPointMode.php source code, the IsAccessPoint parameter is saved in the ShellPath script file without any regex checking. After the script file is executed, the command injection occurs. A vulnerable /HNAP1/SetAccessPointMode XML message could have shell metacharacters in the IsAccessPoint element such as the `telnetd` string.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/pr0v3rbs/CVE/tree/master/CVE-2018-19986%20-%2019990 | x_refsource_MISC |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T11:51:17.881Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/pr0v3rbs/CVE/tree/master/CVE-2018-19986%20-%2019990", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "D-Link DIR-822 Rev.B 202KRb06, DIR-822 Rev.C 3.10B06, DIR-860L Rev.B 2.03.B03, DIR-868L Rev.B 2.05B02, DIR-880L Rev.A 1.20B01_01_i3se_BETA, and DIR-890L Rev.A 1.21B02_BETA devices mishandle IsAccessPoint in /HNAP1/SetAccessPointMode. In the SetAccessPointMode.php source code, the IsAccessPoint parameter is saved in the ShellPath script file without any regex checking. After the script file is executed, the command injection occurs. A vulnerable /HNAP1/SetAccessPointMode XML message could have shell metacharacters in the IsAccessPoint element such as the `telnetd` string.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2019-05-13T13:23:33", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://github.com/pr0v3rbs/CVE/tree/master/CVE-2018-19986%20-%2019990", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2018-19987", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "D-Link DIR-822 Rev.B 202KRb06, DIR-822 Rev.C 3.10B06, DIR-860L Rev.B 2.03.B03, DIR-868L Rev.B 2.05B02, DIR-880L Rev.A 1.20B01_01_i3se_BETA, and DIR-890L Rev.A 1.21B02_BETA devices mishandle IsAccessPoint in /HNAP1/SetAccessPointMode. In the SetAccessPointMode.php source code, the IsAccessPoint parameter is saved in the ShellPath script file without any regex checking. After the script file is executed, the command injection occurs. A vulnerable /HNAP1/SetAccessPointMode XML message could have shell metacharacters in the IsAccessPoint element such as the `telnetd` string.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://github.com/pr0v3rbs/CVE/tree/master/CVE-2018-19986%20-%2019990", refsource: "MISC", url: "https://github.com/pr0v3rbs/CVE/tree/master/CVE-2018-19986%20-%2019990", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2018-19987", datePublished: "2019-05-13T13:23:33", dateReserved: "2018-12-09T00:00:00", dateUpdated: "2024-08-05T11:51:17.881Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2018-19986
Vulnerability from cvelistv5
Published
2019-05-13 13:22
Modified
2024-08-05 11:51
Severity ?
EPSS score ?
Summary
In the /HNAP1/SetRouterSettings message, the RemotePort parameter is vulnerable, and the vulnerability affects D-Link DIR-818LW Rev.A 2.05.B03 and DIR-822 B1 202KRb06 devices. In the SetRouterSettings.php source code, the RemotePort parameter is saved in the $path_inf_wan1."/web" internal configuration memory without any regex checking. And in the IPTWAN_build_command function of the iptwan.php source code, the data in $path_inf_wan1."/web" is used with the iptables command without any regex checking. A vulnerable /HNAP1/SetRouterSettings XML message could have shell metacharacters in the RemotePort element such as the `telnetd` string.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/pr0v3rbs/CVE/tree/master/CVE-2018-19986%20-%2019990 | x_refsource_MISC |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T11:51:17.925Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/pr0v3rbs/CVE/tree/master/CVE-2018-19986%20-%2019990", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "In the /HNAP1/SetRouterSettings message, the RemotePort parameter is vulnerable, and the vulnerability affects D-Link DIR-818LW Rev.A 2.05.B03 and DIR-822 B1 202KRb06 devices. In the SetRouterSettings.php source code, the RemotePort parameter is saved in the $path_inf_wan1.\"/web\" internal configuration memory without any regex checking. And in the IPTWAN_build_command function of the iptwan.php source code, the data in $path_inf_wan1.\"/web\" is used with the iptables command without any regex checking. A vulnerable /HNAP1/SetRouterSettings XML message could have shell metacharacters in the RemotePort element such as the `telnetd` string.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2019-05-13T13:22:05", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://github.com/pr0v3rbs/CVE/tree/master/CVE-2018-19986%20-%2019990", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2018-19986", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "In the /HNAP1/SetRouterSettings message, the RemotePort parameter is vulnerable, and the vulnerability affects D-Link DIR-818LW Rev.A 2.05.B03 and DIR-822 B1 202KRb06 devices. In the SetRouterSettings.php source code, the RemotePort parameter is saved in the $path_inf_wan1.\"/web\" internal configuration memory without any regex checking. And in the IPTWAN_build_command function of the iptwan.php source code, the data in $path_inf_wan1.\"/web\" is used with the iptables command without any regex checking. A vulnerable /HNAP1/SetRouterSettings XML message could have shell metacharacters in the RemotePort element such as the `telnetd` string.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://github.com/pr0v3rbs/CVE/tree/master/CVE-2018-19986%20-%2019990", refsource: "MISC", url: "https://github.com/pr0v3rbs/CVE/tree/master/CVE-2018-19986%20-%2019990", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2018-19986", datePublished: "2019-05-13T13:22:05", dateReserved: "2018-12-09T00:00:00", dateUpdated: "2024-08-05T11:51:17.925Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2018-19990
Vulnerability from cvelistv5
Published
2019-05-13 13:26
Modified
2024-08-05 11:51
Severity ?
EPSS score ?
Summary
In the /HNAP1/SetWiFiVerifyAlpha message, the WPSPIN parameter is vulnerable, and the vulnerability affects D-Link DIR-822 B1 202KRb06 devices. In the SetWiFiVerifyAlpha.php source code, the WPSPIN parameter is saved in the $rphyinf1."/media/wps/enrollee/pin" and $rphyinf2."/media/wps/enrollee/pin" and $rphyinf3."/media/wps/enrollee/pin" internal configuration memory without any regex checking. And in the do_wps function of the wps.php source code, the data in $rphyinf3."/media/wps/enrollee/pin" is used with the wpatalk command without any regex checking. A vulnerable /HNAP1/SetWiFiVerifyAlpha XML message could have shell metacharacters in the WPSPIN element such as the `telnetd` string.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/pr0v3rbs/CVE/tree/master/CVE-2018-19986%20-%2019990 | x_refsource_MISC |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T11:51:17.938Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/pr0v3rbs/CVE/tree/master/CVE-2018-19986%20-%2019990", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "In the /HNAP1/SetWiFiVerifyAlpha message, the WPSPIN parameter is vulnerable, and the vulnerability affects D-Link DIR-822 B1 202KRb06 devices. In the SetWiFiVerifyAlpha.php source code, the WPSPIN parameter is saved in the $rphyinf1.\"/media/wps/enrollee/pin\" and $rphyinf2.\"/media/wps/enrollee/pin\" and $rphyinf3.\"/media/wps/enrollee/pin\" internal configuration memory without any regex checking. And in the do_wps function of the wps.php source code, the data in $rphyinf3.\"/media/wps/enrollee/pin\" is used with the wpatalk command without any regex checking. A vulnerable /HNAP1/SetWiFiVerifyAlpha XML message could have shell metacharacters in the WPSPIN element such as the `telnetd` string.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2019-05-13T13:26:05", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://github.com/pr0v3rbs/CVE/tree/master/CVE-2018-19986%20-%2019990", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2018-19990", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "In the /HNAP1/SetWiFiVerifyAlpha message, the WPSPIN parameter is vulnerable, and the vulnerability affects D-Link DIR-822 B1 202KRb06 devices. In the SetWiFiVerifyAlpha.php source code, the WPSPIN parameter is saved in the $rphyinf1.\"/media/wps/enrollee/pin\" and $rphyinf2.\"/media/wps/enrollee/pin\" and $rphyinf3.\"/media/wps/enrollee/pin\" internal configuration memory without any regex checking. And in the do_wps function of the wps.php source code, the data in $rphyinf3.\"/media/wps/enrollee/pin\" is used with the wpatalk command without any regex checking. A vulnerable /HNAP1/SetWiFiVerifyAlpha XML message could have shell metacharacters in the WPSPIN element such as the `telnetd` string.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://github.com/pr0v3rbs/CVE/tree/master/CVE-2018-19986%20-%2019990", refsource: "MISC", url: "https://github.com/pr0v3rbs/CVE/tree/master/CVE-2018-19986%20-%2019990", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2018-19990", datePublished: "2019-05-13T13:26:05", dateReserved: "2018-12-09T00:00:00", dateUpdated: "2024-08-05T11:51:17.938Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }