| عنوان | D-Link DIR-823X 250416 OS Command Injection |
|---|
| الوصف | The D-Link DIR-823X router is susceptible to a Remote Command Injection vulnerability via the /goform/set_static_route_table endpoint. The flaw exists in the backend function sub_4175CC, which handles parameters including interface, destip, netmask, gateway, and metric.
While the program calls certain validation functions for specific parameters, it fails to verify the success of these validations and, more importantly, lacks any sanitization for the newline character (\n or 0x0A). An authenticated attacker can inject arbitrary shell commands by using a newline to terminate the intended UCI configuration command and start a new malicious instruction, which is then executed with root privileges. |
|---|
| المصدر | ⚠️ https://github.com/master-abc/cve/issues/28 |
|---|
| المستخدم | jiefengliang (UID 93721) |
|---|
| ارسال | 28/01/2026 05:42 PM (3 أشهر منذ) |
|---|
| الاعتدال | 07/02/2026 09:29 AM (10 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 344859 [D-Link DIR-823X 250416 set_static_route_table sub_4175CC interface/destip/netmask/gateway/metric تجاوز الصلاحيات] |
|---|
| النقاط | 20 |
|---|