CVE-2019-13373

CRITICAL

Dlink Central Wifimanager - SQL Injection

Title source: rule

Description

An issue was discovered in the D-Link Central WiFi Manager CWM(100) before v1.03R0100_BETA6. Input does not get validated and arbitrary SQL statements can be executed in the database via the /web/Public/Conn.php parameter dbSQL.

Exploits (1)

metasploit WORKING POC

by M3@ZionLab from DBAppSecurity · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/sqli/dlink/dlink_central_wifimanager_sqli.rb

View Code ZIP pw:eip

References (3)

[Various Sources] https://unh3x.github.io/2019/02/21/D-link-%28CWM-100%29-Multiple-Vulnerabilities/

[Various Sources] https://github.com/unh3x/unh3x.github.io/blob/master/_posts/2019-02-21-D-link-%28CWM-100%29-Multiple-Vulnerabilities.md

[Patch, Vendor Advisory] https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10117

Scores

CVSS v3 9.8

EPSS 0.9008

EPSS Percentile 99.6%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-89

Status published

Products (1)

dlink/central_wifimanager 1.03

Published Jul 06, 2019

Tracked Since Feb 18, 2026