CVE-2019-13372

/web/Lib/Action/IndexAction.class.php in D-Link Central WiFi Manager CWM(100) before v1.03R0100_BETA6 allows remote attackers to execute arbitrary...

Basic Information

CVE State: PUBLISHED
Reserved Date: July 06, 2019
Published Date: July 06, 2019
Last Updated: August 04, 2024
Vendor: n/a
Product: n/a
Description: /web/Lib/Action/IndexAction.class.php in D-Link Central WiFi Manager CWM(100) before v1.03R0100_BETA6 allows remote attackers to execute arbitrary PHP code via a cookie because a cookie's username field allows eval injection, and an empty password bypasses authentication.
Tags

9.8 - CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Source	Added Date
The Shadowserver (via CIRCL)	2025-09-28 00:00:00 UTC

Scanner	URL	Date Detected
Nuclei	https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2019/CVE-2019-13372.yaml	2026-06-01 15:34:27 UTC
Metasploit	https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/dlink_central_wifimanager_rce.rb	2025-04-28 15:02:51 UTC

Warning: These PoCs have not been tested and could contain malware. Use at your own risk.

Type: metasploit • Created: Unknown

Metasploit module for CVE-2019-13372