CVE-2023-32142

Name of the Vulnerable Software and Affected Versions D-Link DAP-1360 (affected versions not specified) D-Link DAP-2020 (affected versions not specified)

Description This issue allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link routers. The specific flaw exists within the handling of requests to the "/cgi-bin/webproc" endpoint. When parsing the var:page parameter, the process does not properly validate the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Authentication is not required to exploit this issue.

Recommendations For D-Link DAP-1360, as a temporary workaround, consider disabling the /cgi-bin/webproc endpoint until a patch is available. For D-Link DAP-2020, restrict access to the webproc module to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.