Vulnerability Description
prog.cgi on D-Link DIR-3060 devices before 1.11b04 HF2 allows remote authenticated users to inject arbitrary commands in an admin or root context because SetVirtualServerSettings calls CheckArpTables, which calls popen unsafely.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Dlink | Dir-3060 Firmware | <= 1.11b04 |
| Dlink | Dir-3060 | - |
Related Weaknesses (CWE)
References
- http://packetstormsecurity.com/files/161757/D-Link-DIR-3060-1.11b04-Command-InjeExploitThird Party AdvisoryVDB Entry
- http://seclists.org/fulldisclosure/2021/Mar/23Mailing ListThird Party Advisory
- https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP1PatchVendor Advisory
- https://www.iot-inspector.com/blog/advisory-d-link-dir-3060/ExploitThird Party Advisory
- http://packetstormsecurity.com/files/161757/D-Link-DIR-3060-1.11b04-Command-InjeExploitThird Party AdvisoryVDB Entry
- http://seclists.org/fulldisclosure/2021/Mar/23Mailing ListThird Party Advisory
- https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP1PatchVendor Advisory
- https://www.iot-inspector.com/blog/advisory-d-link-dir-3060/ExploitThird Party Advisory
FAQ
What is CVE-2021-28144?
CVE-2021-28144 is a vulnerability with a CVSS score of 8.8 (HIGH). prog.cgi on D-Link DIR-3060 devices before 1.11b04 HF2 allows remote authenticated users to inject arbitrary commands in an admin or root context because SetVirtualServerSettings calls CheckArpTables,...
How severe is CVE-2021-28144?
CVE-2021-28144 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-28144?
Check the references section above for vendor advisories and patch information. Affected products include: Dlink Dir-3060 Firmware, Dlink Dir-3060.