CVE-2019-8315

Name of the Vulnerable Software and Affected Versions D-Link DIR-878 version 1.12A1

Description The issue allows a remote attacker to execute arbitrary code and gain a root shell through a Command Injection vulnerability. This occurs when the twsystem function is called with untrusted input from the request body for the SetIPv4FirewallSettings API function, potentially via a crafted /HNAP1 POST request. The vulnerability is related to insufficient input validation, which can be exploited by including shell metacharacters in the SrcIPv4AddressRangeStart field.

Recommendations For D-Link DIR-878 version 1.12A1, consider disabling the SetIPv4FirewallSettings API function or restricting access to it until a patch is available. Additionally, avoid using the SrcIPv4AddressRangeStart field in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.