CVE-2019-8314

Name of the Vulnerable Software and Affected Versions D-Link DIR-878 version 1.12A1

Description The issue is related to insufficient input validation in the SetQoSSettings() function of the D-Link router's firmware, allowing a remote attacker to execute arbitrary code. This can be achieved through a Command Injection vulnerability, where an attacker can execute arbitrary OS commands via a crafted /HNAP1 POST request. The vulnerability is triggered when the SetQoSSettings API function is called with untrusted input from the request body, such as shell metacharacters in the IPAddress field.

Recommendations For D-Link DIR-878 version 1.12A1, consider disabling the SetQoSSettings() function until a patch is available to prevent exploitation. Restrict access to the HNAP API to minimize the risk of arbitrary code execution. Avoid using the IPAddress field in the SetQoSSettings API function until the issue is resolved.