A lack of input validation and access controls in Lua CGIs on D-Link DSR VPN routers may result in arbitrary input being passed to system command APIs, resulting in arbitrary command execution with root privileges. This affects DSR-150, DSR-250, DSR-500, and DSR-1000AC with firmware 3.14 and 3.17.
2020-12-15T20:15:16.183
2024-11-21T05:18:40.930
Modified
CVSSv3.1: 8.8 (HIGH)
AV:A/AC:L/Au:N/C:C/I:C/A:C
6.5
10.0
| Type | Vendor | Product | Version/Range | Vulnerable? |
|---|---|---|---|---|
| Operating System | dlink | dsr-150_firmware | ≤ 3.17 | Yes |
| Hardware | dlink | dsr-150 | - | No |
| Operating System | dlink | dsr-150n_firmware | ≤ 3.17 | Yes |
| Hardware | dlink | dsr-150n | - | No |
| Operating System | dlink | dsr-250_firmware | ≤ 3.17 | Yes |
| Hardware | dlink | dsr-250 | - | No |
| Operating System | dlink | dsr-250n_firmware | ≤ 3.17 | Yes |
| Hardware | dlink | dsr-250n | - | No |
| Operating System | dlink | dsr-500_firmware | ≤ 3.17 | Yes |
| Hardware | dlink | dsr-500 | - | No |
| Operating System | dlink | dsr-500n_firmware | * | Yes |
| Hardware | dlink | dsr-500n | - | No |
| Operating System | dlink | dsr-500ac_firmware | ≤ 3.17 | Yes |
| Hardware | dlink | dsr-500ac | - | No |
| Operating System | dlink | dsr-1000_firmware | ≤ 3.17 | Yes |
| Hardware | dlink | dsr-1000 | - | No |
| Operating System | dlink | dsr-1000n_firmware | ≤ 3.17 | Yes |
| Hardware | dlink | dsr-1000n | - | No |
| Operating System | dlink | dsr-1000ac_firmware | ≤ 3.17 | Yes |
| Hardware | dlink | dsr-1000ac | - | No |