CVE-2018-19300

Summary

CVE	CVE-2018-19300
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2019-04-11 16:29:00 UTC
Updated	2023-04-26 19:27:00 UTC
Description	On D-Link DAP-1530 (A1) before firmware version 1.06b01, DAP-1610 (A1) before firmware version 1.06b01, DWR-111 (A1) before firmware version 1.02v02, DWR-116 (A1) before firmware version 1.06b03, DWR-512 (B1) before firmware version 2.02b01, DWR-711 (A1) through firmware version 1.11, DWR-712 (B1) before firmware version 2.04b01, DWR-921 (A1) before firmware version 1.02b01, and DWR-921 (B1) before firmware version 2.03b01, there exists an EXCU_SHELL file in the web directory. By sending a GET request with specially crafted headers to the /EXCU_SHELL URI, an attacker could execute arbitrary shell commands in the root context on the affected device. Other devices might be affected as well.

Risk And Classification

Problem Types: CWE-20

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Hardware	D-link	Dap-1530	-	All	All	All
Hardware	D-link	Dap-1530	-	All	All	All
Operating System	D-link	Dap-1530 Firmware	All	All	All	All
Hardware	D-link	Dap-1610	-	All	All	All
Hardware	D-link	Dap-1610	-	All	All	All
Operating System	D-link	Dap-1610 Firmware	All	All	All	All
Hardware	D-link	Dwr-111	-	All	All	All
Hardware	D-link	Dwr-111	-	All	All	All
Operating System	D-link	Dwr-111 Firmware	All	All	All	All
Hardware	D-link	Dwr-116	-	All	All	All
Hardware	D-link	Dwr-116	-	All	All	All
Operating System	D-link	Dwr-116 Firmware	1.06	b1	All	All
Operating System	D-link	Dwr-116 Firmware	1.06	b2	All	All
Operating System	D-link	Dwr-116 Firmware	1.06	b1	All	All
Operating System	D-link	Dwr-116 Firmware	1.06	b2	All	All
Operating System	D-link	Dwr-116 Firmware	All	All	All	All
Hardware	D-link	Dwr-512	-	All	All	All
Hardware	D-link	Dwr-512	-	All	All	All
Operating System	D-link	Dwr-512 Firmware	All	All	All	All
Hardware	D-link	Dwr-711	-	All	All	All
Hardware	D-link	Dwr-711	-	All	All	All
Operating System	D-link	Dwr-711 Firmware	All	All	All	All
Hardware	D-link	Dwr-712	-	All	All	All
Hardware	D-link	Dwr-712	-	All	All	All
Operating System	D-link	Dwr-712 Firmware	All	All	All	All
Hardware	D-link	Dwr-921	-	All	All	All
Hardware	D-link	Dwr-921	-	All	All	All
Operating System	D-link	Dwr-921 Firmware	All	All	All	All
Operating System	D-link	Dwr-921 Firmware	All	All	All	All
Hardware	Dlink	Dap-1530	-	All	All	All
Hardware	Dlink	Dap-1610	-	All	All	All
Hardware	Dlink	Dwr-111	-	All	All	All
Operating System	Dlink	Dwr-111 Firmware	All	All	All	All
Hardware	Dlink	Dwr-116	-	All	All	All
Operating System	Dlink	Dwr-116 Firmware	All	All	All	All
Hardware	Dlink	Dwr-512	-	All	All	All
Operating System	Dlink	Dwr-512 Firmware	All	All	All	All
Hardware	Dlink	Dwr-711	-	All	All	All
Hardware	Dlink	Dwr-712	-	All	All	All
Operating System	Dlink	Dwr-712 Firmware	All	All	All	All
Hardware	Dlink	Dwr-921	-	All	All	All
Operating System	Dlink	Dwr-921 Firmware	All	All	All	All
Operating System	Dlink	Dwr-921 Firmware	All	All	All	All

References

Reference	Source	Link	Tags
Serious vulnerability discovered in D-Link routers - Greenbone Networks	MISC	www.greenbone.net	Third Party Advisory
Schwachstelle durch Command Execution in D-Link DWR und DAP Routern (/EXCU_SHELL) \| D-Link Deutschland	CONFIRM	eu.dlink.com	Vendor Advisory
CVE-2018-19300: Remote Command Execution Vulnerability in D-Link DWR and DAP Routers - Vulnerability Tests - Greenbone Community Portal	MISC	community.greenbone.net	Exploit, Third Party Advisory
Schwerwiegende Sicherheitslücke in D-Link-Routern entdeckt - Greenbone Networks	MISC	www.greenbone.net	Third Party Advisory
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.