An issue was discovered on D-Link DIR-823G devices with firmware through 1.02B03. A command Injection vulnerability allows attackers to execute arbitrary OS commands via shell metacharacters in a crafted /HNAP1 request. This occurs when the GetNetworkTomographyResult function calls the system function with an untrusted input parameter named Address. Consequently, an attacker can execute any command remotely when they control this input.
References
Link | Resource |
---|---|
http://www.securityfocus.com/bid/106815 | Third Party Advisory |
https://github.com/leonW7/D-Link/blob/master/Vul_1.md | Exploit Third Party Advisory |
Configurations
Configuration 1 (hide)
AND |
|
History
26 Apr 2023, 18:55
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:h:dlink:dir-823g:-:*:*:*:*:*:*:* |
Information
Published : 2019-01-31 22:29
Updated : 2024-02-04 20:03
NVD link : CVE-2019-7297
Mitre link : CVE-2019-7297
CVE.ORG link : CVE-2019-7297
JSON object : View
Products Affected
dlink
- dir-823g
d-link
- dir-823g_firmware
CWE
CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')