⚠ Exploited in the wild
Exploitation observed in the wild. Not yet on CISA KEV.

CVE-2019-13372

CWE-94Code InjectionCWE-287Improper Authentication5 documents5 sources
Severity
9.8CRITICAL
EPSS
92.9%
top 0.23%
CISA KEV
Not in KEV
Exploit
Exploited in wild
Active exploitation observed
Affected products
1
Dlink Central Wifimanager
Timeline
PublishedJul 6
Latest updateMay 24

Description

/web/Lib/Action/IndexAction.class.php in D-Link Central WiFi Manager CWM(100) before v1.03R0100_BETA6 allows remote attackers to execute arbitrary PHP code via a cookie because a cookie's username field allows eval injection, and an empty password bypasses authentication.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages1 packages

🔴Vulnerability Details

3
GHSA
GHSA-j37h-vwh2-59wm: /web/Lib/Action/IndexAction2022-05-24
CVEList
CVE-2019-13372: /web/Lib/Action/IndexAction2019-07-06
VulnCheck
D-Link central_wifimanager Improper Control of Generation of Code ('Code Injection')2019

💥Exploits & PoCs

1
Nuclei
D-Link Central WiFi Manager CWM(100) - Remote Code Execution
CVE-2019-13372 (CRITICAL CVSS 9.8) | /web/Lib/Action/IndexAction.class.p | cvebase.io