CVE-2018-20305

Name of the Vulnerable Software and Affected Versions D-Link DIR-816 A2 version 1.10 B05

Description The issue allows for arbitrary remote code execution without authentication via the newpass parameter. In the "/goform/form2userconfig.cgi" handler function, a long password may lead to a stack-based buffer overflow and overwrite a return address. This is caused by a buffer overflow in the /goform/form2userconfig.cgi component of the D-Link DIR-816 router's firmware, which can be exploited by a remote attacker to execute arbitrary code.

Recommendations For D-Link DIR-816 A2 version 1.10 B05, as a temporary workaround, consider restricting access to the "/goform/form2userconfig.cgi" handler function until a patch is available. Avoid using long passwords in the newpass parameter to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.