An issue was discovered on D-Link DIR-802 A1 devices through 1.00b05. Universal Plug and Play (UPnP) is enabled by default on port 1900. An attacker can perform command injection by injecting a payload into the Search Target (ST) field of the SSDP M-SEARCH discover packet. NOTE: This vulnerability only affects products that are no longer supported by the maintainer
References
Link | Resource |
---|---|
https://cool-y.github.io/2021/03/02/DIR-802-OS-Command-Injection | Exploit Third Party Advisory |
https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10206 | Vendor Advisory |
https://www.dlink.com/en/security-bulletin/ | Vendor Advisory |
Configurations
Configuration 1 (hide)
AND |
|
History
07 Nov 2023, 03:32
Type | Values Removed | Values Added |
---|---|---|
Summary | An issue was discovered on D-Link DIR-802 A1 devices through 1.00b05. Universal Plug and Play (UPnP) is enabled by default on port 1900. An attacker can perform command injection by injecting a payload into the Search Target (ST) field of the SSDP M-SEARCH discover packet. NOTE: This vulnerability only affects products that are no longer supported by the maintainer |
19 Apr 2021, 16:39
Type | Values Removed | Values Added |
---|---|---|
References | (MISC) https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10206 - Vendor Advisory | |
References | (MISC) https://cool-y.github.io/2021/03/02/DIR-802-OS-Command-Injection - Exploit, Third Party Advisory | |
References | (MISC) https://www.dlink.com/en/security-bulletin/ - Vendor Advisory | |
CPE | cpe:2.3:o:dlink:dir-802_firmware:*:*:*:*:*:*:*:* cpe:2.3:h:dlink:dir-802:a1:*:*:*:*:*:*:* |
|
CWE | CWE-78 | |
CVSS |
v2 : v3 : |
v2 : 5.8
v3 : 8.8 |
12 Apr 2021, 05:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2021-04-12 05:15
Updated : 2024-04-11 01:11
NVD link : CVE-2021-29379
Mitre link : CVE-2021-29379
CVE.ORG link : CVE-2021-29379
JSON object : View
Products Affected
dlink
- dir-802_firmware
- dir-802
CWE
CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')