CVSS Base Vector:
D-Link DIR-816 devices are prone to multiple vulnerabilities.
Tries to execute a command on the device.
Following vulnerabilities exist:
- An attacker can get a token from dir_login.asp and use an API URL /goform/setSysAdm
to edit the web or system account without authentication.
- An attacker can get a token from dir_login.asp and use a hidden API URL /goform/SystemCommand
to execute a system command without authentication.
- An attacker can get a token from dir_login.asp and use a hidden API URL /goform/form2userconfig.cgi
to edit the system account without authentication.
- An attacker can get a token form dir_login.asp and use a hidden API URL /goform/LoadDefaultSettings
to reset the router without authentication.
Successful exploitation would allow an attacker to gain
complete control over the target device.
D-Link DIR-816 A2 through firmware version 1.11.
No known solution is available as of 02nd August, 2019.
Information regarding this issue will be updated once solution details are available.
Web application abuses
Find and Fix this Vulnerability:
Mageni can help you to find out if you have this or more vulnerabilities exposing you to hackers, ransomware and malware: Download Mageni's Free Edition
NVD CVE ID: