| Title | D-Link DI-8300 DI_8300-16.07.26A1 Command Injection |
|---|
| Description | A command injection vulnerability exists in the msp_info_htm CGI handler of the DI-8300 router. When the flag parameter is set to qos, the value of the iface parameter is directly concatenated into a system command string via sprintf and executed with system() without any sanitization. An authenticated attacker can inject arbitrary commands using metacharacters such as ; or |, leading to remote code execution with root privileges on the device. |
|---|
| Source | ⚠️ https://github.com/draw-ctf/report/blob/main/DI-8300-msp-info-flag-qos.md |
|---|
| User | draw (UID 64399) |
|---|
| Submission | 03/26/2026 16:13 (15 days ago) |
|---|
| Moderation | 04/08/2026 20:25 (13 days later) |
|---|
| Status | Duplicate |
|---|
| VulDB entry | 276904 [D-Link DI-8300 16.07.26A1 msp_info_htm command injection] |
|---|
| Points | 0 |
|---|