On D-Link DIR-859 A3-1.06 and DIR-850 A1.13 devices, /etc/services/DEVICE.TIME.php allows command injection via the $SERVER variable.

Published : 2019-10-11 20:15 Updated : 2019-10-16 13:14

CVSS Score More info
Score 10.0 / 10
Vendor Product Version URI
Dlink Dir-850l A Firmware 1.13 cpe:/o:dlink:dir-850l_a_firmware:1.13
Dlink Dir-859 A3 Firmware 1.06 cpe:/o:dlink:dir-859_a3_firmware:1.06
  1. Dlink (2) Search CVE
    1. Dir-850l A Firmware (1) Search CVE
      1. 1.13
    2. Dir-859 A3 Firmware (1) Search CVE
      1. 1.06


ID Name Description Links
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. CVE

History of changes

Date Event
2019-10-16 13:14
2019-10-11 20:25