WPSPIN Vulnerability in D-Link DIR-822 B1 Devices
CVE-2018-19990

9.8CRITICAL

Key Information:

Vendor: D-link
Status: Dir-822 Firmware
Vendor: CVE Published:; 13 May 2019

Summary

In D-Link DIR-822 B1 devices, the WPSPIN parameter in the /HNAP1/SetWiFiVerifyAlpha message is exposed to vulnerabilities due to a lack of input validation. The parameter is stored in internal configuration memory without proper regex checks, exposing the system to potential command injection attacks. Specifically, the data can allow shell metacharacters in the WPSPIN element, which may be exploited through carefully crafted XML messages, potentially leading to unauthorized command execution and significant security breaches.

References

https://github.com/pr0v3rbs/CVE/tree/master/CVE-2018-1998...

x_refsource_MISC

EPSS Score

10% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 13, 2019
Vulnerability Reserved
Dec 9, 2018