Command Injection Vulnerability in D-Link DIR-878 Router
CVE-2019-8314
8.8HIGH
What is CVE-2019-8314?
A command injection vulnerability has been identified on D-Link DIR-878 devices running firmware version 1.12A1. This flaw enables a remote attacker to run arbitrary commands on the device, potentially gaining root access. The issue arises from improper handling of user input in the SetQoSSettings API function, which can be exploited through a specially crafted POST request using the HNAP protocol. By inserting malicious shell metacharacters into the IPAddress field, an attacker can manipulate the execution flow and execute unauthorized commands within the system.