| Название | D-Link DI-7100G C1: 2020/02/21, 24.04.18D1: 2024/04/18 Command Injection |
|---|
| Описание | A command injection vulnerability exists in D-Link DI-7100G routers running firmware versions C1 and 24.04.18D1. The vulnerability is located in the start_proxy_client_email function within the rc file. The program constructs system commands using snprintf() and executes them via jhl_system(). When processing NVRAM configuration items such as ac_mng_srv_host, the input is not properly validated or sanitized and is directly concatenated into the command string. An attacker who can modify the relevant configuration fields and inject malicious content may execute arbitrary commands when the device starts or when the related function is triggered, potentially leading to full device compromise. |
|---|
| Источник | ⚠️ https://github.com/glkfc/IoT-Vulnerability/blob/main/D-Link/Dlink_3.md |
|---|
| Пользователь | jfkk (UID 79868) |
|---|
| Представление | 31.01.2026 15:41 (3 месяцы назад) |
|---|
| Модерация | 07.02.2026 18:33 (7 days later) |
|---|
| Статус | принято |
|---|
| Запись VulDB | 344897 [D-Link DI-7100G C1 24.04.18D1 start_proxy_client_email эскалация привилегий] |
|---|
| Баллы | 20 |
|---|