Vulnerability Details : CVE-2018-10823
An issue was discovered on D-Link DWR-116 through 1.06, DWR-512 through 2.02, DWR-712 through 2.02, DWR-912 through 2.02, DWR-921 through 2.02, and DWR-111 through 1.01 devices. An authenticated attacker may execute arbitrary code by injecting the shell command into the chkisg.htm page Sip parameter. This allows for full control over the device internals.
Vulnerability category: Execute code
Products affected by CVE-2018-10823
- cpe:2.3:o:dlink:dwr-116_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:dlink:dwr-512_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:dlink:dwr-111_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:dlink:dwr-912_firmware:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-10823
95.68%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 99 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-10823
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
9.0
|
HIGH | AV:N/AC:L/Au:S/C:C/I:C/A:C |
8.0
|
10.0
|
NIST | |
8.8
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST | |
8.8
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST |
CWE ids for CVE-2018-10823
-
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.Assigned by: nvd@nist.gov (Primary)
References for CVE-2018-10823
-
https://seclists.org/fulldisclosure/2018/Oct/36
Full Disclosure: Multiple vulnerabilities in D-Link routersExploit;Mailing List;Third Party Advisory
-
http://sploit.tech/2018/10/12/D-Link.html
D-Link routers - full takeoverExploit;Third Party Advisory
Jump to