CVE-2021-39509Command Injection in Dlink Dir-816 Firmware

CWE-77Command Injection4 documents4 sources
Severity
9.8CRITICALNVD
EPSS
18.0%
top 4.83%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Dlink Dir-816 Firmware
Timeline
PublishedAug 24
Latest updateMay 24

Description

An issue was discovered in D-Link DIR-816 DIR-816A2_FWv1.10CNB05_R1B011D88210 The HTTP request parameter is used in the handler function of /goform/form2userconfig.cgi route, which can construct the user name string to delete the user function. This can lead to command injection through shell metacharacters.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages1 packages

NVDdlink/dir-816_firmware1.10cnb05_r1b011d88210

🔴Vulnerability Details

3
GHSA
GHSA-xvjj-gv4g-2h8h: An issue was discovered in D-Link DIR-816 DIR-816A2_FWv12022-05-24
CVEList
CVE-2021-39509: An issue was discovered in D-Link DIR-816 DIR-816A2_FWv12021-08-24
VulnCheck
D-Link dir-816_firmware Improper Neutralization of Special Elements used in a Command ('Command Injection')2021
CVE-2021-39509 — Command Injection in Dlink | cvebase