CVE-2019-17510

Name of the Vulnerable Software and Affected Versions D-Link DIR-846 version 100A35

Description The issue is related to insufficient argument checking in the SetWizardConfig function of the D-Link DIR-846 firmware, allowing remote attackers to execute arbitrary OS commands as root. This can be achieved by sending a specially crafted /HNAP1/ request for SetWizardConfig with shell metacharacters to the /squashfs-root/www/HNAP1/control/SetWizardConfig.php script.

Recommendations For D-Link DIR-846 version 100A35, consider disabling the SetWizardConfig function until a patch is available to prevent exploitation. Restrict access to the /squashfs-root/www/HNAP1/control/SetWizardConfig.php script to minimize the risk of remote command execution. At the moment, there is no information about a newer version that contains a fix for this vulnerability.