CVE-2013-7471

Name of the Vulnerable Software and Affected Versions D-Link DIR-845 versions prior to 1.02b03 D-Link DIR-600 versions prior to 2.17b01 D-Link DIR-645 versions prior to 1.04b11 D-Link DIR-300 rev. B D-Link DIR-865

Description An issue was discovered in "soap.cgi?service=WANIPConn1" where Command Injection via shell metacharacters is possible in the NewInternalClient, NewExternalPort, or NewInternalPort element of a SOAP POST request.

Recommendations For D-Link DIR-845 versions prior to 1.02b03, update to version 1.02b03 or later. For D-Link DIR-600 versions prior to 2.17b01, update to version 2.17b01 or later. For D-Link DIR-645 versions prior to 1.04b11, update to version 1.04b11 or later. For D-Link DIR-300 rev. B and DIR-865, at the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider restricting access to the "soap.cgi?service=WANIPConn1" endpoint to minimize the risk of exploitation. Avoid using the NewInternalClient, NewExternalPort, or NewInternalPort elements in the affected SOAP POST request until the issue is resolved.