CVE-2013-10059

Name of the Vulnerable Software and Affected Versions D-Link routers version 8.04

Description An authenticated OS command injection vulnerability exists via the tools vct.htm endpoint. The web interface fails to sanitize input passed from the ping ipaddr parameter to the tools vct.htm diagnostic interface, allowing attackers to inject arbitrary shell commands using backtick encapsulation. With default credentials, an attacker can exploit this blind injection vector to execute arbitrary commands.

Recommendations For version 8.04, ensure proper input sanitization is implemented for the ping ipaddr parameter within the tools vct.htm endpoint to prevent command injection. As a temporary workaround, restrict access to the tools vct.htm interface.