CVE-2023-32137

Name of the Vulnerable Software and Affected Versions D-Link DAP-1360 (affected versions not specified) D-Link DAP-2020 (affected versions not specified)

Description This issue allows network-adjacent attackers to disclose sensitive information on affected installations of D-Link routers. Authentication is not required to exploit this issue. The specific flaw exists within the handling of requests to the "/cgi-bin/webproc" endpoint. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this issue to disclose information in the context of root.

Recommendations For D-Link DAP-1360, consider restricting access to the "/cgi-bin/webproc" endpoint until a patch is available. For D-Link DAP-2020, consider restricting access to the WEB DisplayPage() function until a patch is available. At the moment, there is no information about a newer version that contains a fix for this issue.