CVE-2018-17066

Name of the Vulnerable Software and Affected Versions D-Link DIR-816 A2 version 1.10 B05

Description An issue exists in the handler function of the "/goform/form2systime.cgi" route, where an HTTP request parameter is used in command string construction. This could lead to command injection via shell metacharacters in the datetime parameter. The vulnerability is due to the lack of neutralization of special elements used in the operating system command, which may allow a remote attacker to execute arbitrary commands through shell metacharacters in the datetime parameter.

Recommendations For D-Link DIR-816 A2 version 1.10 B05, as a temporary workaround, consider restricting access to the "/goform/form2systime.cgi" route to minimize the risk of exploitation. Avoid using the datetime parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.