CVE-2018-19990

{"id": "CVE-2018-19990", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 10.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "authentication": "NONE", "integrityImpact": "COMPLETE", "accessComplexity": "LOW", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 10.0, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2019-05-13T14:29:01.393", "references": [{"url": "https://github.com/pr0v3rbs/CVE/tree/master/CVE-2018-19986%20-%2019990", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-78"}]}], "descriptions": [{"lang": "en", "value": "In the /HNAP1/SetWiFiVerifyAlpha message, the WPSPIN parameter is vulnerable, and the vulnerability affects D-Link DIR-822 B1 202KRb06 devices. In the SetWiFiVerifyAlpha.php source code, the WPSPIN parameter is saved in the $rphyinf1.\"/media/wps/enrollee/pin\" and $rphyinf2.\"/media/wps/enrollee/pin\" and $rphyinf3.\"/media/wps/enrollee/pin\" internal configuration memory without any regex checking. And in the do_wps function of the wps.php source code, the data in $rphyinf3.\"/media/wps/enrollee/pin\" is used with the wpatalk command without any regex checking. A vulnerable /HNAP1/SetWiFiVerifyAlpha XML message could have shell metacharacters in the WPSPIN element such as the `telnetd` string."}, {"lang": "es", "value": "En el mensaje HNAP1/SetWiFiVerifyAlpha, el par\u00e1metro WPSPIN es vulnerable y la vulnerabilidad afecta a los dispositivos D-Link DIR-822 B1 202KRb06. En el c\u00f3digo fuente del archivo SetWiFiVerifyAlpha.php, el par\u00e1metro WPSPIN se guarda en la memoria de configuraci\u00f3n interna de $rphyinf1.\"/Media/wps/enrollee/pin\" y $rphyinf2.\"/ Media/wps/enrollee/pin\" y $rphyinf3.\"/Media/wps/enrollee/pin\" sin ninguna comprobaci\u00f3n regex. Y en la funci\u00f3n do_wps del c\u00f3digo fuente de wps.php, los datos en $rphyinf3.\"/ Media/wps/enrollee/pin\" se usan con el comando wpatalk sin ninguna comprobaci\u00f3n regex. Un mensaje XML vulnerable HNAP1/SetWiFiVerifyAlpha podr\u00eda tener metacaracteres shell en el elemento WPSPIN como la cadena `telnetd`."}], "lastModified": "2023-04-26T18:55:30.893", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:d-link:dir-822_firmware:202krb06:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5224FC0A-44C6-4C4D-8EEC-BBA7BA13DF3D"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:dlink:dir-822:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "B3894F0E-37F8-4A89-87AC-1DB524D4AE04"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cve@mitre.org"}