CVE-2024-48635

Name of the Vulnerable Software and Affected Versions D-Link DIR-882 versions FW130B06 D-Link DIR-878 versions FW130B08

Description A command injection issue exists due to the lack of neutralization of special elements used in the operating system command in the SetVLANSettings function. This allows attackers to execute arbitrary OS commands via a crafted POST request to the VLANID:2/VID parameter.

Recommendations For D-Link DIR-882 version FW130B06, consider disabling the SetVLANSettings function until a patch is available. For D-Link DIR-878 version FW130B08, restrict access to the VLANID:2/VID parameter in the SetVLANSettings function to minimize the risk of exploitation. Avoid using the VLANID:2/VID parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.