CVE-2021-39510

An issue was discovered in D-Link DIR816_A1_FW101CNB04 750m11ac wireless router, The HTTP request parameter is used in the handler function of /goform/form2userconfig.cgi route, which can construct the user name string to delete the user function. This can lead to command injection through shell metacharacters.
Command Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 96%
Common Weakness Enumeration
References
https://github.com/doudoudedi/main-DIR-816_A1_Command-injection
https://github.com/doudoudedi/main-DIR-816_A1_Command-injection/blob/main/injection_A1.md
https://www.dlink.com/en/security-bulletin/
https://github.com/doudoudedi/main-DIR-816_A1_Command-injection
https://github.com/doudoudedi/main-DIR-816_A1_Command-injection/blob/main/injection_A1.md
https://www.dlink.com/en/security-bulletin/