CVE-2020-15894

Name of the Vulnerable Software and Affected Versions D-Link DIR-816L devices versions 2.x before 1.10b04Beta02

Description An issue exists where an exposed administration function in "getcfg.php" can be used to call various services, potentially allowing an attacker to retrieve sensitive information, such as admin login credentials, by manipulating the POST SERVICES variable in the query string to DEVICE.ACCOUNT.

Recommendations For D-Link DIR-816L devices versions 2.x before 1.10b04Beta02, update to version 1.10b04Beta02 or later to resolve the issue. As a temporary workaround, consider restricting access to the "getcfg.php" file to minimize the risk of exploitation. Avoid using the POST SERVICES variable in the affected API endpoint until the issue is resolved.