Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2022-30521

The LAN-side Web-Configuration Interface has Stack-based Buffer Overflow vulnerability in the D-Link Wi-Fi router firmware DIR-890L DIR890LA1_FW107b09.bin and previous versions. The function created at 0x17958 of /htdocs/cgibin will call sprintf without checking the length of strings in parameters given by HTTP header and can be controlled by users easily. The attackers can exploit the vulnerability to carry out arbitrary code by means of sending a specially constructed payload to port 49152.

Published

2022-06-02T14:15:53.897

Last Modified

2024-11-21T07:02:52.197

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 9.8 (CRITICAL)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: COMPLETE
Integrity Impact: COMPLETE
Availability Impact: COMPLETE

Exploitability Score

10.0

Impact Score

10.0

Weaknesses

Type: Primary
CWE-787

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Operating System	dlink	dir-890l_firmware	≤ 1.07b09	Yes
Hardware	dlink	dir-890l	-	No

References

https://github.com/winmt/CVE/blob/main/DIR-890L/README.md Exploit, Third Party Advisory ([email protected])
https://github.com/winmt/my-vuls/tree/main/DIR-890L ([email protected])
https://www.dlink.com/en/security-bulletin/ Vendor Advisory ([email protected])
https://github.com/winmt/CVE/blob/main/DIR-890L/README.md Exploit, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/winmt/my-vuls/tree/main/DIR-890L (af854a3a-2127-422b-91ae-364da2661108)
https://www.dlink.com/en/security-bulletin/ Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)