CVE-2024-48636

Name of the Vulnerable Software and Affected Versions D-Link DIR-882 versions FW130B06 D-Link DIR-878 version FW130B08

Description A command injection issue exists in the SetVLANSettings function due to insufficient neutralization of special elements used in an OS command. This allows attackers to execute arbitrary OS commands via a crafted POST request to the VLANID:0/VID parameter.

Recommendations For D-Link DIR-882 version FW130B06, consider disabling the SetVLANSettings() function until a patch is available. For D-Link DIR-878 version FW130B08, restrict access to the VLANID:0/VID parameter in the SetVLANSettings function to minimize the risk of exploitation. Avoid using the VLANID:0/VID parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.