CVE-2013-10050

Name of the Vulnerable Software and Affected Versions D-Link DIR-300 version 1.05 D-Link DIR-615 version 4.13

Description An OS command injection vulnerability exists in multiple D-Link routers via the authenticated tools vct.xgi CGI endpoint. The web interface does not properly sanitize user-supplied input in the pingIp parameter, allowing attackers with valid credentials to inject arbitrary shell commands. Successful exploitation can lead to full device compromise, including the ability to spawn a telnet daemon and establish a root shell. The vulnerability is present in firmware versions that expose tools vct.xgi and use the Mathopd/1.5p6 web server.

Recommendations D-Link DIR-300 version 1.05: At the moment, there is no information about a newer version that contains a fix for this vulnerability. D-Link DIR-615 version 4.13: At the moment, there is no information about a newer version that contains a fix for this vulnerability.