CVE-2020-10214

Name of the Vulnerable Software and Affected Versions D-Link DIR-825 version 2.10

Description The issue is related to a stack-based buffer overflow in the httpd binary, specifically in the ntp sync.cgi component. This allows an authenticated user to execute arbitrary code via a POST to "ntp sync.cgi" with a sufficiently long ntp server parameter. The exploitation of this issue may enable a remote attacker to execute arbitrary commands.

Recommendations For D-Link DIR-825 version 2.10, as a temporary workaround, consider restricting access to the "ntp sync.cgi" component until a patch is available. Avoid using the ntp server parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.