CVE-2019-10039

Name of the Vulnerable Software and Affected Versions: D-Link DIR-816 A2 version 1.11

Description: The issue allows an attacker to edit the web or system account without authentication by exploiting the fact that the router only checks the random token when authorizing a goform request. This token can be obtained from dir login.asp and then used in the API endpoint "/goform/setSysAdm" to make unauthorized changes.

Recommendations: For version 1.11, as a temporary workaround, consider restricting access to the "/goform/setSysAdm" API endpoint until a patch is available. Additionally, avoid using the dir login.asp page to obtain the random token, as this can be used to exploit the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.