CVE-2019-13375

Name of the Vulnerable Software and Affected Versions D-Link Central WiFi Manager CWM(100) versions prior to v1.03R0100 BETA6

Description A SQL Injection issue was discovered in the PayAction.class.php file, specifically with the passcode parameter in the "index.php/Pay/passcodeAuth" endpoint. This issue does not require authentication to exploit. The vulnerability is related to a lack of protection for the SQL query structure, which could allow a remote attacker to execute arbitrary code.

Recommendations For versions prior to v1.03R0100 BETA6, consider disabling the passcodeAuth functionality in the PayAction.class.php file until a patch is available. Restrict access to the "index.php/Pay/passcodeAuth" endpoint to minimize the risk of exploitation. Avoid using the passcode parameter in the affected endpoint until the issue is resolved.