CVE-2021-27250

Name of the Vulnerable Software and Affected Versions: D-Link DAP-2020 version 1.01rc001

Description: This issue allows network-adjacent attackers to disclose sensitive information on affected installations. Authentication is not required to exploit this issue. The flaw exists within the processing of CGI scripts, specifically when parsing the errorpage request parameter. The process does not properly validate a user-supplied path prior to using it in file operations. An attacker can leverage this issue to disclose stored credentials, leading to further compromise.

Recommendations: For D-Link DAP-2020 version 1.01rc001, consider restricting access to CGI scripts until a patch is available. As a temporary workaround, avoid using the errorpage parameter in requests to minimize the risk of exploitation.