CVE-2019-7298

Name of the Vulnerable Software and Affected Versions D-Link DIR-823G versions through 1.02B03

Description The issue exists due to the lack of measures to neutralize special elements used in the operating system command. Exploitation of this issue may allow a remote attacker to execute arbitrary operating system commands. This occurs when any HNAP API function triggers a call to the system function with untrusted input from the request body, such as the /HNAP1 request. An attacker can execute any command remotely when they control this input.

Recommendations For versions through 1.02B03, consider disabling the HNAP API functions until a patch is available to prevent exploitation. Restrict access to the /HNAP1 request to minimize the risk of remote command execution. Avoid using untrusted input from the request body in the system function to prevent arbitrary OS command execution. At the moment, there is no information about a newer version that contains a fix for this vulnerability.