SQL Injection in D-Link Central WiFi Manager CWM(100)
CVE-2019-13373

9.8CRITICAL

Key Information:

Vendor
D-Link
Status
Central Wifimanager
Vendor
CVE Published:
6 July 2019

Summary

The D-Link Central WiFi Manager CWM(100) prior to version v1.03R0100_BETA6 contains a vulnerability that allows unauthenticated users to exploit the database through arbitrary SQL statements. This vulnerability exists due to the lack of proper input validation on the /web/Public/Conn.php parameter 'dbSQL', which can lead to unauthorized access, data manipulation, and potential data breaches. It is crucial for users to upgrade to the latest version to mitigate the risks associated with this flaw.

References

https://unh3x.github.io/2019/02/21/D-link-%28CWM-100%29-M...
x_refsource_MISC
https://github.com/unh3x/unh3x.github.io/blob/master/_pos...
x_refsource_MISC
https://supportannouncement.us.dlink.com/announcement/pub...
x_refsource_CONFIRM

EPSS Score

49% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.