CVE-2019-10040

Name of the Vulnerable Software and Affected Versions: D-Link DIR-816 A2 version 1.11

Description: The issue concerns the authorization process of the router, where it only checks a random token when authorizing a goform request. This allows an attacker to obtain the token from dir login.asp and utilize a hidden API endpoint "/goform/SystemCommand" to execute system commands without proper authentication.

Recommendations: For D-Link DIR-816 A2 version 1.11, as a temporary workaround, consider restricting access to the "/goform/SystemCommand" API endpoint until a patch is available. Additionally, avoid using the dir login.asp page to obtain the random token, as this can be exploited to gain unauthorized access. At the moment, there is no information about a newer version that contains a fix for this vulnerability.