Vulnerability Description
An issue was discovered on D-Link DIR-823G devices with firmware through 1.02B03. A command Injection vulnerability allows attackers to execute arbitrary OS commands via shell metacharacters in a crafted /HNAP1 request. This occurs when the GetNetworkTomographyResult function calls the system function with an untrusted input parameter named Address. Consequently, an attacker can execute any command remotely when they control this input.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| D-Link | Dir-823G Firmware | <= 1.02b03 |
| Dlink | Dir-823G | - |
Related Weaknesses (CWE)
References
- http://www.securityfocus.com/bid/106815Third Party Advisory
- https://github.com/leonW7/D-Link/blob/master/Vul_1.mdExploitThird Party Advisory
- http://www.securityfocus.com/bid/106815Third Party Advisory
- https://github.com/leonW7/D-Link/blob/master/Vul_1.mdExploitThird Party Advisory
FAQ
What is CVE-2019-7297?
CVE-2019-7297 is a vulnerability with a CVSS score of 9.8 (CRITICAL). An issue was discovered on D-Link DIR-823G devices with firmware through 1.02B03. A command Injection vulnerability allows attackers to execute arbitrary OS commands via shell metacharacters in a craf...
How severe is CVE-2019-7297?
CVE-2019-7297 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2019-7297?
Check the references section above for vendor advisories and patch information. Affected products include: D-Link Dir-823G Firmware, Dlink Dir-823G.