CVE-2019-8316

Name of the Vulnerable Software and Affected Versions D-Link DIR-878 version 1.12A1

Description The issue is related to a Command Injection, allowing a remote attacker to execute arbitrary code and gain a root shell. This occurs due to insufficient input validation in the SetWebFilterSettings API function, specifically when the WebFilterURLs field contains shell metacharacters. The vulnerability can be exploited via a crafted /HNAP1 POST request.

Recommendations For D-Link DIR-878 version 1.12A1, consider disabling the SetWebFilterSettings function until a patch is available to prevent exploitation. Restrict access to the /HNAP1 API endpoint to minimize the risk of exploitation. Avoid using the WebFilterURLs field in the SetWebFilterSettings API function until the issue is resolved.