CVE-2020-6841

Name of the Vulnerable Software and Affected Versions D-Link DCH-M225 versions 1.05b01 and earlier

Description The issue is related to the spotifyConnect.php script in the D-Link DCH-M225 device, where it fails to neutralize special elements used in an OS command when processing the userName parameter. This allows remote attackers to execute arbitrary OS commands via shell metacharacters. Exploitation of the issue can enable a remote attacker to execute arbitrary commands by sending specially crafted HTTP requests.

Recommendations For D-Link DCH-M225 versions 1.05b01 and earlier, as a temporary workaround, consider restricting access to the spotifyConnect.php script until a patch is available. Avoid using the userName parameter in the affected script to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.