** UNSUPPORTED WHEN ASSIGNED ** A vulnerability, which was classified as critical, was found in D-Link DAR-8000 up to 20151231. This affects an unknown part of the file /Tool/querysql.php. The manipulation leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-240249 was assigned to this vulnerability. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed immediately that the product is end-of-life. It should be retired and replaced.
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
| Link | Tags |
|---|---|
| https://vuldb.com/?id.240249 | third party advisory vdb entry technical description |
| https://vuldb.com/?ctiid.240249 | signature third party advisory permissions required |
| https://github.com/llixixi/cve/blob/main/D-LINK-DAR-8000-10_sql_%20querysql.md | third party advisory exploit |
| https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10354 | vendor advisory related |