CVE-2020-15893OS Command Injection in Dlink Dir-816l Firmware

CWE-78OS Command Injection4 documents4 sources
Severity
9.8CRITICALNVD
EPSS
82.6%
top 0.77%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Dlink Dir-816l Firmware
Timeline
PublishedJul 22
Latest updateMay 24

Description

An issue was discovered on D-Link DIR-816L devices 2.x before 1.10b04Beta02. Universal Plug and Play (UPnP) is enabled by default on port 1900. An attacker can perform command injection by injecting a payload into the Search Target (ST) field of the SSDP M-SEARCH discover packet.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages1 packages

NVDdlink/dir-816l_firmware2.06, 2.06.b09+1

Patches

Patch: supportannouncement.us.dlink.comPatch: supportannouncement.us.dlink.com

🔴Vulnerability Details

3
GHSA
GHSA-q86m-xf2x-qj8j: An issue was discovered on D-Link DIR-816L devices 22022-05-24
CVEList
CVE-2020-15893: An issue was discovered on D-Link DIR-816L devices 22020-07-22
VulnCheck
D-Link dir-816l_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')2020
CVE-2020-15893 — OS Command Injection in Dlink | cvebase