• Home Support Forums Security Advisories Shop     English | French
Support Announcement
Central WiFi Manager (CWM-100) :: CVE-2019-13372 :: CVE-2019-13373 :: CVE-2019-13374 :: CVE-2019-13375 - Unauthenticated Command Injection, Command Execution, and XSS Vulnerability

On November 20, 2018, it was disclosed that D-Link's Central WiFi Manager Windows O/S Software Application (described here), was disclosed to have multiple security vulnerabilities. The vulnerabilities were found in the Central WiFiManager Software Controller, allows unauthenticated arbitrary SQL command execution, SQL injecion, and XSS vulnerabilities.

 

D-Link® Central WiF iManager software controller helps network administrators streamline their wireless access point (AP) management workflow. Central WiFi Manager is an innovative approach to the more traditional hardware-based multiple access point management system. It uses a centralized server to both remotely manage and monitor wireless APs on a network. Whether deployed on a local computer or hosted on a public cloud service, Central WiFi Manager can be easily integrated into existing networks in conjunction with supporting D-Link wireless APs, to help eliminate existing bottlenecks for wireless traffic.

 

3rd Party Report Accreditation:

 

Discovered and researched by M3@ZionLab from DBAppSecurity.

 

 

Affected Products:

 

This disclosure directly affects the software package and current installations should be update with the new released available to download below. Failure to update may put this software package, the host computer it runs on, and D-Link devices that it manages at risk.

 

Solution/Patch/Fix:

  1. Arbitrary SQL query
  2. Remote command execution
  3. SQL injection
  4. Cross site scripting
 Affected Product Affected Version Corrected Version Last Updated
CWM-100 :: D-Link Central WiFi Manager  Ver. 1.03 for Windows v.1.03r001_Beta06 12/03/2018

 

Security Patches

 

These updates address the security vulnerabilities in affected D-Link software package. D-Link will update this continually and we strongly recommend all users to install the relevant updates.

 

To update we reccomend saving your configuration, uninstall the old package, then install the new update.  Further assistance  can be found via chat or email at http://support.dlink.com