Name of the Vulnerable Software and Affected Versions:

D-Link DIR-868L B1 router firmware version FW2.05WWB02

Description:

The D-Link DIR-868L B1 router firmware version FW2.05WWB02 contains an unauthenticated OS command injection vulnerability in the `fileaccess.cgi` component. The `/dws/api/UploadFile` API endpoint accepts a `pre api arg` parameter which is passed directly to system-level shell execution functions without proper sanitization or authentication. This allows remote attackers to execute arbitrary commands as root through crafted HTTP requests.

Recommendations:

Update to a newer version of the firmware that addresses this issue.

As a temporary workaround, restrict access to the `/dws/api/UploadFile` endpoint.

Avoid using the `pre api arg` parameter in the affected API endpoint until the issue is resolved.