CVE-2021-39510

Name of the Vulnerable Software and Affected Versions: D-Link DIR816 A1 FW101CNB04

Description: An issue was discovered in the D-Link DIR816 A1 FW101CNB04 750m11ac wireless router. The HTTP request parameter is used in the handler function of "/goform/form2userconfig.cgi" route, which can construct the user name string to delete the user function. This can lead to command injection through shell metacharacters.

Recommendations: For D-Link DIR816 A1 FW101CNB04, consider disabling the /goform/form2userconfig.cgi route until a patch is available to prevent command injection through shell metacharacters. Restrict access to this route to minimize the risk of exploitation. Avoid using the username parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.