| tiêu đề | D-Link D-Link DCS931L v1.0.0-v1.13.0 Command Injection |
|---|
| Mô tả | ## Description
A critical command injection vulnerability exists in D-Link DCS-931L IP camera firmware version 1.14.04 and earlier versions. The vulnerability is located in the `/setSystemAdmin` endpoint which fails to properly sanitize user-supplied input in the `AdminID` parameter before passing it to the `doSystem()` function for shell command execution. An authenticated attacker can exploit this vulnerability by injecting malicious shell commands using special characters (such as single quotes and semicolons) in the `AdminID` parameter, allowing arbitrary command execution with root privileges on the affected device. This can lead to complete system compromise, including enabling telnet services, modifying system configurations, or executing malicious payloads. |
|---|
| Nguồn | ⚠️ https://github.com/cha0yang1/CVE/blob/main/D-Link%20DCS931L1.md |
|---|
| Người dùng | Ruler-Chovy (UID 95098) |
|---|
| Đệ trình | 06/02/2026 15:41 (cách đây 2 các tháng) |
|---|
| Kiểm duyệt | 08/02/2026 17:12 (2 days later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 344944 [D-Link DCS-931L đến 1.13.0 /setSystemAdmin doSystem AdminID nâng cao đặc quyền] |
|---|
| điểm | 20 |
|---|