First published: Wed Jan 29 2020(Updated: )
D-Link DIR-859 1.05 and 1.06B01 Beta01 devices allow remote attackers to execute arbitrary OS commands via a urn: to the M-SEARCH method in ssdpcgi() in /htdocs/cgibin, because HTTP_ST is mishandled. The value of the urn: service/device is checked with the strstr function, which allows an attacker to concatenate arbitrary commands separated by shell metacharacters.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Dlink Dir-859 Firmware | =1.05 | |
Dlink Dir-859 Firmware | =1.06b01-beta01 | |
Dlink Dir-859 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The severity of CVE-2019-20215 is critical with a CVSS score of 9.8.
Remote attackers can exploit CVE-2019-20215 by executing arbitrary OS commands via a specific method in ssdpcgi().
D-Link DIR-859 1.05 and 1.06B01 Beta01 devices are affected by CVE-2019-20215.
Yes, D-Link has released firmware updates to address the vulnerability. It is recommended to update to the latest firmware version.
You can find more information about CVE-2019-20215 in the references provided: [link1], [link2], [link3].