PT-2021-11412 · D Link · D-Link Router Dir-846

Published

2021-04-02

Updated

2021-04-09

CVE-2020-27600

CVSS v2.0

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions: D-Link Router DIR-846 version A1 100.26

Description: The issue allows remote attackers to execute arbitrary commands via shell metacharacters in the ssid0 or ssid1 parameter in the "HNAP1/control/SetMasterWLanSettings.php" endpoint.

Recommendations: For D-Link Router DIR-846 version A1 100.26, as a temporary workaround, consider restricting access to the "HNAP1/control/SetMasterWLanSettings.php" endpoint to minimize the risk of exploitation. Avoid using the parameters ssid0 or ssid1 in this endpoint until the issue is resolved.

Exploit

Fix

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78

Related Identifiers

CVE-2020-27600

Affected Products

D-Link Router Dir-846

PT-2021-11412 · D Link · D-Link Router Dir-846

CVE-2020-27600

Weakness Enumeration

Related Identifiers

Affected Products

References · 5