D-Link Central WiFi Manager CWM(100) - Remote Code Execution

Short Info

Level

Critical

Single Scan

Can be used by

Asset Owner

Estimated Time

10 seconds

Time Interval

18 days 1 hour

Scan only one

Domain, Subdomain, IPv4

Toolbox

-

/web/Lib/Action/IndexAction.class.php in D-Link Central WiFi Manager CWM(100) before v1.03R0100_BETA6 allows remote attackers to execute arbitrary PHP code via a cookie because a cookie's username field allows eval injection, and an empty password bypasses authentication.

References:

https://github.com/unh3x/unh3x.github.io/blob/master/_posts/2019-02-21-D-link-%28CWM-100%29-Multiple-Vulnerabilities.md
https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10117
https://unh3x.github.io/2019/02/21/D-link-%28CWM-100%29-Multiple-Vulnerabilities/
https://nvd.nist.gov/vuln/detail/CVE-2019-13372

Get started to protecting your digital assets

Start trial See the plans

D-Link Central WiFi Manager CWM(100) - Remote Code Execution

Short Info

-

Detail

Category