CVE-2019-13375
CRITICALD-Link Central WiFiManager < 1.03R0100_BETA6 - Unauthenticated SQL Injection via PayAction.class.php passcode Parameter
Title source: llmDescription
A SQL Injection was discovered in D-Link Central WiFi Manager CWM(100) before v1.03R0100_BETA6 in PayAction.class.php with the index.php/Pay/passcodeAuth parameter passcode. The vulnerability does not need any authentication.
References (3)
Core 3
Core References
Various Sources x_refsource_misc
https://unh3x.github.io/2019/02/21/D-link-%28CWM-100%29-Multiple-Vulnerabilities/
Various Sources x_refsource_misc
https://github.com/unh3x/unh3x.github.io/blob/master/_posts/2019-02-21-D-link-%28CWM-100%29-Multiple-Vulnerabilities.md
Patch, Vendor Advisory x_refsource_confirm
https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10117
Scores
CVSS v3
9.8
EPSS
0.0275
EPSS Percentile
86.2%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-89
Status
published
Products (1)
dlink/central_wifimanager
1.03
Published
Jul 06, 2019
Tracked Since
Feb 18, 2026