Arbitrary PHP Code Execution via Username Field in D-Link Central WiFi Manager CWM(100)

Arbitrary PHP Code Execution via Username Field in D-Link Central WiFi Manager CWM(100)

CVE-2019-13372 · CRITICAL Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

/web/Lib/Action/IndexAction.class.php in D-Link Central WiFi Manager CWM(100) before v1.03R0100_BETA6 allows remote attackers to execute arbitrary PHP code via a cookie because a cookie's username field allows eval injection, and an empty password bypasses authentication.

Learn more about our Web App Pen Testing.