CVE-2021-46314

Name of the Vulnerable Software and Affected Versions D-Link DIR-846 versions DIR846A1 FW100A43.bin through DIR846enFW100A53DLA-Retail.bin

Description The issue is related to insufficient argument validation in the HNAP1/control/SetNetworkTomographySettings.php script, allowing a remote attacker to execute arbitrary commands using a specially crafted request. This can be achieved by exploiting the use of backticks for command injection when validating domain names.

Recommendations For D-Link DIR-846 versions DIR846A1 FW100A43.bin through DIR846enFW100A53DLA-Retail.bin, consider disabling access to the HNAP1/control/SetNetworkTomographySettings.php script as a temporary workaround until a patch is available. Restrict the use of backticks in domain name validation to minimize the risk of command injection. At the moment, there is no information about a newer version that contains a fix for this vulnerability.