Command Injection Vulnerability in D-Link DCS-1130 Devices
CVE-2017-8411

8.8HIGH

Key Information:

Vendor
D-Link
Status
Dcs-1130 Firmware
Vendor
CVE Published:
2 July 2019

Summary

A command injection vulnerability exists in D-Link DCS-1130 devices that allows an attacker to execute arbitrary commands through the device's system API. When a user sets an SMB folder for video clippings, the POST parameters are inadequately sanitized and can be exploited to inject commands. This is due to the interaction of the POST parameters with the vulnerable library function 'sub_1FC4' in 'libmailutils.so'. The exploitation can allow malicious actors to compromise the device by executing commands with the privileges of the device, thus posing a significant risk to security and integrity.

References

https://seclists.org/bugtraq/2019/Jun/8
mailing-listx_refsource_BUGTRAQ
http://packetstormsecurity.com/files/153226/Dlink-DCS-113...
x_refsource_MISC
https://github.com/ethanhunnt/IoT_vulnerabilities/blob/ma...
x_refsource_MISC

EPSS Score

9% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
🍪 This website uses cookies, like every other website on the internet 😕 By using our website, you consent to the use of cookies.