| tiêu đề | D-Link DIR-815 Firmware 1.01b14 Command Injection |
|---|
| Mô tả | An authenticated command injection vulnerability exists in D-Link DIR-815 firmware version 1.01b14.
The CGI endpoint service.cgi resolves to the cgibin executable. The handler function servicecgi_main() retrieves user-controlled parameters such as EVENT and SERVICE from HTTP requests without sufficient sanitization or validation.
These parameters are directly passed to lxmldbc_system(), which constructs shell commands using vsnprintf() and executes them via system(). As a result, an authenticated attacker with administrative privileges may inject arbitrary operating system commands and achieve remote code execution on the device.
|
|---|
| Nguồn | ⚠️ https://agreeable-eel-32b.notion.site/Authenticated-Command-Injection-Vulnerability-in-D-Link-DIR-815-service-cgi-Firmware-1-01b14-2ff0bcce666b80e8b931cde0792f7141?source=copy_link |
|---|
| Người dùng | Xuhsy (UID 88287) |
|---|
| Đệ trình | 06/02/2026 07:39 (cách đây 3 các tháng) |
|---|
| Kiểm duyệt | 08/02/2026 15:46 (2 days later) |
|---|
| Trạng thái | Bản sao |
|---|
| Mục VulDB | 321651 [D-Link DIR-110/DIR-412/DIR-600/DIR-615/DIR-645/DIR-815 1.03 service.cgi Sự kiện nâng cao đặc quyền] |
|---|
| điểm | 0 |
|---|