CVE-2018-20114

Published: Jan 2, 2019Modified: Nov 21, 2024

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

On D-Link DIR-818LW Rev.A 2.05.B03 and DIR-860L Rev.B 2.03.B03 devices, unauthenticated remote OS command execution can occur in the soap.cgi service of the cgibin binary via an "&&" substring in the service parameter. NOTE: this issue exists because of an incomplete fix for CVE-2018-6530.

Affected (2)

Products: Dlink: Dir 818lw Firmware, Dir 860l Firmware

2 products

Dir 818lw Firmware

Dir 860l Firmware

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Dlink Dir 818lw Firmware	Version 2.05.b03

Running on/with	Platform Versions
Dlink Dir 818lw	All versions

Configuration B

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Dlink Dir 860l Firmware	Version 2.03.b03

Running on/with	Platform Versions
Dlink Dir 860l	All versions

Related CWEs

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References (2)

https://github.com/pr0v3rbs/CVE/tree/master/CVE-2018-20114

Source: cve@mitre.org

Exploit

https://github.com/pr0v3rbs/CVE/tree/master/CVE-2018-20114

Source: af854a3a-2127-422b-91ae-364da2661108

Exploit

Timeline

No history available yet.