| Titel | D-Link DI-7100G C1: 2020/02/21, 24.04.18D1: 2024/04/18 Command Injection |
|---|
| Beschreibung | A command injection vulnerability exists in D-Link DI-7100G routers running firmware versions C1 and 24.04.18D1. The vulnerability is located in the start_proxy_client_email function within the rc file. The program constructs system commands using snprintf() and executes them via jhl_system(). When processing NVRAM configuration items such as ac_mng_srv_host, the input is not properly validated or sanitized and is directly concatenated into the command string. An attacker who can modify the relevant configuration fields and inject malicious content may execute arbitrary commands when the device starts or when the related function is triggered, potentially leading to full device compromise. |
|---|
| Quelle | ⚠️ https://github.com/glkfc/IoT-Vulnerability/blob/main/D-Link/Dlink_3.md |
|---|
| Benutzer | jfkk (UID 79868) |
|---|
| Einreichung | 31.01.2026 15:41 (vor 3 Monaten) |
|---|
| Moderieren | 07.02.2026 18:33 (7 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 344897 [D-Link DI-7100G C1 24.04.18D1 start_proxy_client_email erweiterte Rechte] |
|---|
| Punkte | 20 |
|---|