CVE-2018-5371

diag_ping.cmd on D-Link DSL-2640U devices with firmware IM_1.00 and ME_1.00, and DSL-2540U devices with firmware ME_1.00, allows authenticated remote attackers to execute arbitrary OS commands via shell metacharacters in the ipaddr field of an HTTP GET request.
References
Link Resource
https://www.iplantom.com/2018/01/10/dsl2640U/ Exploit Technical Description Third Party Advisory URL Repurposed
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:d-link:dsl-2540u_firmware:me_1.00:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dsl-2540u:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND
OR cpe:2.3:o:d-link:dsl-2640u_firmware:im_1.00:*:*:*:*:*:*:*
cpe:2.3:o:d-link:dsl-2640u_firmware:me_1.00:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dsl-2640u:-:*:*:*:*:*:*:*

History

14 Feb 2024, 01:17

Type Values Removed Values Added
References (MISC) https://www.iplantom.com/2018/01/10/dsl2640U/ - Exploit, Technical Description, Third Party Advisory (MISC) https://www.iplantom.com/2018/01/10/dsl2640U/ - Exploit, Technical Description, Third Party Advisory, URL Repurposed

Information

Published : 2018-01-12 09:29

Updated : 2024-02-28 16:04


NVD link : CVE-2018-5371

Mitre link : CVE-2018-5371

CVE.ORG link : CVE-2018-5371


JSON object : View

Products Affected

dlink

  • dsl-2540u
  • dsl-2640u

d-link

  • dsl-2640u_firmware
  • dsl-2540u_firmware
CWE
CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')