CVE-2019-12787

Name of the Vulnerable Software and Affected Versions D-Link DIR-818LW versions 2.05.B03 through 2.06B01 BETA

Description The issue is related to errors in processing XML requests, which can allow a remote attacker to execute arbitrary commands. Specifically, there is a command injection in HNAP1 SetWanSettings via an XML injection of the value of the Gateway key.

Recommendations For versions 2.05.B03 through 2.06B01 BETA, consider restricting access to the HNAP1 SetWanSettings API endpoint to minimize the risk of exploitation. As a temporary workaround, avoid using the Gateway key in XML requests to the affected endpoint until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.