CVE-2021-27248

Name of the Vulnerable Software and Affected Versions D-Link DAP-2020 version 1.01rc001

Description The issue is related to a buffer overflow on the stack in the webproc getpage scenario of the D-Link DAP-2020 Wi-Fi access point's firmware. This can be exploited by network-adjacent attackers to execute arbitrary code on affected installations without requiring authentication. The flaw exists in the processing of CGI scripts, specifically when parsing the getpage parameter, where the length of user-supplied data is not properly validated before being copied to a fixed-length stack-based buffer. This allows an attacker to execute code in the context of root.

Recommendations For D-Link DAP-2020 version 1.01rc001, as a temporary workaround, consider restricting access to the webproc getpage scenario until a patch is available. Avoid using the getpage parameter in the affected CGI scripts to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.