CVE-2019-17508

Name of the Vulnerable Software and Affected Versions D-Link DIR-859 versions A3 D-Link DIR-850L version A1.13

Description The issue is related to the etc/services/DEVICE.TIME.php component of the D-Link DIR-859 A3 and D-Link DIR-850L A microprogrammed software for wireless routers. It is associated with the failure to neutralize special elements used in the operating system command. Exploitation of this issue may allow a remote attacker to execute arbitrary code using the $ SERVER array. The /etc/services/DEVICE.TIME.php file allows command injection via the $SERVER variable.

Recommendations For D-Link DIR-859 version A3, consider disabling the DEVICE.TIME.php component until a patch is available. For D-Link DIR-850L version A1.13, restrict access to the /etc/services/DEVICE.TIME.php file to minimize the risk of exploitation. Avoid using the $ SERVER variable in the affected API endpoint until the issue is resolved.