On D-Link DIR-859 A3-1.06 and DIR-850 A1.13 devices, /etc/services/DEVICE.TIME.php allows command injection via the $SERVER variable.
References
| Link | Resource |
|---|---|
| https://github.com/dahua966/Routers-vuls/tree/master/DIR-859 | Exploit Third Party Advisory |
| https://github.com/dahua966/Routers-vuls/tree/master/DIR-859 | Exploit Third Party Advisory |
Configurations
History
21 Nov 2024, 04:32
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://github.com/dahua966/Routers-vuls/tree/master/DIR-859 - Exploit, Third Party Advisory |
Information
Published : 2019-10-11 20:15
Updated : 2024-11-21 04:32
NVD link : CVE-2019-17508
Mitre link : CVE-2019-17508
CVE.ORG link : CVE-2019-17508
JSON object : View
Products Affected
dlink
- dir-859_a3
- dir-859_a3_firmware
- dir-850l_a
- dir-850l_a_firmware
CWE
CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')