| Titel | D-Link DIR-823X 250416 OS Command Injection |
|---|
| Beschreibung | D-Link DIR-823X routers are susceptible to a Remote Command Injection vulnerability via the /goform/set_server_settings endpoint. The flaw exists in the backend handling of server configuration parameters. Due to an incomplete sanitization mechanism that fails to filter newline characters (\n or 0x0A), an authenticated attacker can inject arbitrary shell commands through parameters such as terminal_addr, server_ip, or server_port. When the system commits these configurations to the UCI (Unified Configuration Interface) and restarts the relevant services, the injected commands are executed with root privileges via the system shell. |
|---|
| Quelle | ⚠️ https://github.com/master-abc/cve/issues/26 |
|---|
| Benutzer | 942384053 (UID 94603) |
|---|
| Einreichung | 26.01.2026 15:22 (vor 4 Monaten) |
|---|
| Moderieren | 06.02.2026 15:46 (11 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 344694 [D-Link DIR-823X 250416 Configuration Parameter set_server_settings terminal_addr/server_ip/server_port erweiterte Rechte] |
|---|
| Punkte | 20 |
|---|