Description
In the /HNAP1/SetQoSSettings message, the uplink parameter is vulnerable, and the vulnerability affects D-Link DIR-822 Rev.B 202KRb06 and DIR-822 Rev.C 3.10B06 devices. In the SetQoSSettings.php source code, the uplink parameter is saved in the /bwc/entry:1/bandwidth and /bwc/entry:2/bandwidth internal configuration memory without any regex checking. And in the bwc_tc_spq_start, bwc_tc_wfq_start, and bwc_tc_adb_start functions of the bwcsvcs.php source code, the data in /bwc/entry:1/bandwidth and /bwc/entry:2/bandwidth is used with the tc command without any regex checking. A vulnerable /HNAP1/SetQoSSettings XML message could have shell metacharacters in the uplink element such as the `telnetd` string.
References (1)
Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://github.com/pr0v3rbs/CVE/tree/master/CVE-2018-19986%20-%2019990
Scores
CVSS v3
9.8
EPSS
0.3275
EPSS Percentile
96.9%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-78
Status
published
Products (2)
d-link/dir-822_firmware
202krb06
dlink/dir-822_firmware
3.10b06
Published
May 13, 2019
Tracked Since
Feb 18, 2026