CVEDB API

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2013-10050

An OS command injection vulnerability exists in multiple D-Link routers—confirmed on DIR-300 rev A (v1.05) and DIR-615 rev D (v4.13)—via the authenticated tools_vct.xgi CGI endpoint. The web interface fails to properly sanitize user-supplied input in the pingIp parameter, allowing attackers with valid credentials to inject arbitrary shell commands. Exploitation enables full device compromise, including spawning a telnet daemon and establishing a root shell. The vulnerability is present in firmware versions that expose tools_vct.xgi and use the Mathopd/1.5p6 web server. No vendor patch is available, and affected models are end-of-life.

Exploit prediction scoring system (EPSS) score

EPSS Score 0.003

EPSS Ranking 50.6%

CVSS Severity

CVSS v3 Score 8.8

References

Products affected by CVE-2013-10050

Dlink » Dir-300 » Version: a

cpe:2.3:h:dlink:dir-300:a
Dlink » Dir-615 » Version: d

cpe:2.3:h:dlink:dir-615:d
Dlink » Dir-300 Firmware » Version: N/A

cpe:2.3:o:dlink:dir-300_firmware:-
Dlink » Dir-615 Firmware » Version: N/A

cpe:2.3:o:dlink:dir-615_firmware:-
Dlink » Dir-615 Firmware » Version: 2.5.17

cpe:2.3:o:dlink:dir-615_firmware:2.5.17
Dlink » Dir-615 Firmware » Version: 3.03ww

cpe:2.3:o:dlink:dir-615_firmware:3.03ww

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2013-10050

Products

Pricing

Contact Us