CVE-2022-37130

Name of the Vulnerable Software and Affected Versions D-Link DIR-816 versions A2 v1.10CNB04 D-Link DIR-878 version DIR 878 FW1.30B08

Description A command injection issue occurs in the /goform/Diagnosis endpoint, where the setnum variable is spliced into v10 by snprintf, allowing system execution and resulting in a command injection issue.

Recommendations For D-Link DIR-816 version A2 v1.10CNB04, consider disabling access to the /goform/Diagnosis endpoint until a patch is available. For D-Link DIR-878 version DIR 878 FW1.30B08, restrict the use of the setnum variable in the /goform/Diagnosis endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.