CVE-2020-25757
published 2020-12-15CVE-2020-25757: A lack of input validation and access controls in Lua CGIs on D-Link DSR VPN routers may result in arbitrary input being passed to system command APIs…
high8.8CVSS 3.1
AVAACLPRNUINSUCHIHAH
A lack of input validation and access controls in Lua CGIs on D-Link DSR VPN routers may result in arbitrary input being passed to system command APIs, resulting in arbitrary command execution with root privileges. This affects DSR-150, DSR-250, DSR-500, and DSR-1000AC with firmware 3.14 and 3.17.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dlink | dsr-1000_firmware | <= 3.17 | — |
| dlink | dsr-1000ac_firmware | <= 3.17 | — |
| dlink | dsr-1000n_firmware | <= 3.17 | — |
| dlink | dsr-150_firmware | <= 3.17 | — |
| dlink | dsr-150n_firmware | <= 3.17 | — |
| dlink | dsr-250_firmware | <= 3.17 | — |
| dlink | dsr-250n_firmware | <= 3.17 | — |
| dlink | dsr-500_firmware | <= 3.17 | — |
| dlink | dsr-500ac_firmware | <= 3.17 | — |