CVEDB API

Vulnerabilities

By Date
Known Exploited
Advanced Search

Vulnerable Software

Vendors
Products

Vulnerability Details CVE-2013-10069

The web interface of multiple D-Link routers, including DIR-600 rev B (≤2.14b01) and DIR-300 rev B (≤2.13), contains an unauthenticated OS command injection vulnerability in command.php, which improperly handles the cmd POST parameter. A remote attacker can exploit this flaw without authentication to spawn a Telnet service on a specified port, enabling persistent interactive shell access as root.

Exploit prediction scoring system (EPSS) score

EPSS Score 0.022

EPSS Ranking 83.7%

CVSS Severity

CVSS v3 Score 9.8

References

https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/auxiliary/admin/http/dlink_dir_300_600_exec_noauth.rb
https://web.archive.org/web/20150428184723/http://www.s3cur1ty.de/m1adv2013-003
https://www.exploit-db.com/exploits/24453
https://www.vulncheck.com/advisories/dlink-devices-unauth-rce
https://www.exploit-db.com/exploits/24453

Products affected by CVE-2013-10069

Dlink » Dir-300 » Version: b

cpe:2.3:h:dlink:dir-300:b
Dlink » Dir-600 » Version: b

cpe:2.3:h:dlink:dir-600:b
Dlink » Dir-300 Firmware » Version: N/A

cpe:2.3:o:dlink:dir-300_firmware:-
Dlink » Dir-300 Firmware » Version: 1.06b05_ww

cpe:2.3:o:dlink:dir-300_firmware:1.06b05_ww
Dlink » Dir-600 Firmware » Version: N/A

cpe:2.3:o:dlink:dir-600_firmware:-

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2013-10069

Products

Pricing

Contact Us