CVE-2020-25758

Name of the Vulnerable Software and Affected Versions D-Link DSR-250 version 3.17 SolarWinds Database Performance Analyzer (DPA) (affected versions not specified)

Description An issue with insufficient validation of configuration file checksums could allow a remote, authenticated attacker to inject arbitrary crontab entries into saved configurations before uploading, which are executed as root. Additionally, a vulnerability in SolarWinds Database Performance Analyzer (DPA) is related to the failure to protect the web page structure, which could allow a remote attacker to perform a cross-site scripting attack.

Recommendations For D-Link DSR-250 version 3.17, consider disabling the ability to upload saved configurations until a patch is available. For SolarWinds Database Performance Analyzer (DPA), restrict access to the web interface to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.