CVE-2019-13373

Name of the Vulnerable Software and Affected Versions D-Link Central WiFi Manager CWM(100) versions prior to v1.03R0100 BETA6

Description The issue is related to the lack of protection against SQL query structure exploitation in the /web/Public/Conn.php component. This allows a remote attacker to execute arbitrary code. The problem arises because input is not validated, enabling arbitrary SQL statements to be executed in the database via the dbSQL parameter in the /web/Public/Conn.php endpoint.

Recommendations For versions prior to v1.03R0100 BETA6, update to version v1.03R0100 BETA6 or later to resolve the issue. As a temporary workaround, consider restricting access to the /web/Public/Conn.php endpoint to minimize the risk of exploitation. Avoid using the dbSQL parameter in the affected endpoint until the issue is resolved.