First published: Fri Feb 01 2019(Updated: )
An issue was discovered on D-Link DIR-823G devices with firmware through 1.02B03. A command Injection vulnerability allows attackers to execute arbitrary OS commands via a crafted /HNAP1 request. This occurs when any HNAP API function triggers a call to the system function with untrusted input from the request body, such as a body of ' /bin/telnetd' for the GetDeviceSettingsset API function. Consequently, an attacker can execute any command remotely when they control this input.
Credit: cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Dlink Dir-823g Firmware | <=1.02b03 | |
Dlink Dir-823g | ||
All of | ||
Dlink Dir-823g Firmware | <=1.02b03 | |
Dlink Dir-823g |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The severity of CVE-2019-7298 is critical, with a severity value of 8.1.
CVE-2019-7298 affects D-Link DIR-823G devices with firmware through 1.02B03.
CVE-2019-7298 is a command injection vulnerability that allows attackers to execute arbitrary OS commands via a crafted /HNAP1 request.
An attacker can exploit CVE-2019-7298 by triggering a call to the system function with untrusted input from any HNAP API function.
At the time of this writing, there are no known fixes for CVE-2019-7298. It is recommended to update the firmware of the affected D-Link DIR-823G devices if an update becomes available.