CVE-2018-10823

An issue was discovered on D-Link DWR-116 through 1.06, DWR-512 through 2.02, DWR-712 through 2.02, DWR-912 through 2.02, DWR-921 through 2.02, and DWR-111 through 1.01 devices. An authenticated attacker may execute arbitrary code by injecting the shell command into the chkisg.htm page Sip parameter. This allows for full control over the device internals.

Published: Oct 17, 2018
Updated: Apr 13, 2023
CVE: CVE-2018-10823
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.8
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: High
Score: 9
AV:N/AC:L/Au:S/C:C/I:C/A:C

CWEs:

CWE-78

OWASP TOP 10:

A1 - Injection

Affected Software
References

Software	From	Fixed in
dlink / dwr-116_firmware	-	1.06.x
dlink / dwr-512_firmware	-	2.02.x
dlink / dwr-912_firmware	-	2.02.x
dlink / dwr-111_firmware	-	1.01.x

http://sploit.tech/2018/10/12/D-Link.html
https://seclists.org/fulldisclosure/2018/Oct/36

Vulnerability Database

CVE-2018-10823

Deep Security Visibility Without the Complexity