CVE-2024-48637

Name of the Vulnerable Software and Affected Versions D-Link DIR-878 version DIR 878 FW130B08 D-Link DIR-882 version DIR 882 FW130B06

Description The issue exists due to the lack of neutralization of special elements used in the operating system command in the SetVLANSettings() function of the prog.cgi script. This allows a remote attacker to execute arbitrary commands by sending a specially crafted POST request. The vulnerability is exploited via the VLANID:1/VID parameter in the SetVLANSettings function, enabling attackers to execute arbitrary OS commands.

Recommendations For D-Link DIR-878 version DIR 878 FW130B08, consider disabling the SetVLANSettings() function until a patch is available to prevent exploitation. For D-Link DIR-882 version DIR 882 FW130B06, restrict access to the VLANID:1/VID parameter in the SetVLANSettings function to minimize the risk of exploitation. Avoid using the VLANID:1/VID parameter in the affected API endpoint until the issue is resolved.