CVE-2024-33344

Name of the Vulnerable Software and Affected Versions D-Link DIR-822+ version 1.0.5

Description The issue is related to a command injection vulnerability in the ftext() function of the upload firmware.cgi script in the D-Link DIR-822+ firmware. This vulnerability is due to the lack of proper sanitization of special elements used in the operating system command when processing the UPLOAD FILENAME parameter. Exploitation of this vulnerability may allow a remote attacker to execute arbitrary commands.

Recommendations For D-Link DIR-822+ version 1.0.5, consider disabling the ftext() function in the upload firmware.cgi script as a temporary workaround until a patch is available. Restrict access to the upload firmware.cgi script to minimize the risk of exploitation. Avoid using the UPLOAD FILENAME parameter in the affected script until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.