CVE-2019-13372

Name of the Vulnerable Software and Affected Versions D-Link Central WiFi Manager CWM(100) versions prior to v1.03R0100 BETA6

Description The issue is related to a flaw in the authentication procedure of the D-Link Central WiFi Manager CWM(100). This flaw allows remote attackers to execute arbitrary PHP code via a cookie, as the username field in the cookie is vulnerable to eval injection. Furthermore, an empty password can bypass authentication, exacerbating the issue.

Recommendations For versions prior to v1.03R0100 BETA6, update to version v1.03R0100 BETA6 or later to resolve the issue. As a temporary workaround, consider restricting access to the /web/Lib/Action/IndexAction.class.php component to minimize the risk of exploitation. Avoid using empty passwords and ensure that the username field in cookies is properly sanitized to prevent eval injection until the issue is resolved.