Filtered by vendor Dlink
Subscribe
Total
448 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-39510 | 1 Dlink | 2 Dir-816, Dir-816 Firmware | 2021-08-31 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in D-Link DIR816_A1_FW101CNB04 750m11ac wireless router, The HTTP request parameter is used in the handler function of /goform/form2userconfig.cgi route, which can construct the user name string to delete the user function. This can lead to command injection through shell metacharacters. | |||||
| CVE-2021-39615 | 1 Dlink | 2 Dsr-500n, Dsr-500n Firmware | 2021-08-30 | 10.0 HIGH | 9.8 CRITICAL |
| ** UNSUPPORTED WHEN ASSIGNED ** D-Link DSR-500N version 1.02 contains hard-coded credentials for undocumented user accounts in the '/etc/passwd' file.If an attacker succeeds in recovering the cleartext password of the identified hash value, he will be able to log in via SSH or Telnet and thus gain access to the underlying embedded Linux operating system on the device. Fixed in version 2.12/2. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2021-39614 | 1 Dlink | 2 Dvx-2000ms, Dvx-2000ms Firmware | 2021-08-30 | 5.0 MEDIUM | 9.8 CRITICAL |
| D-Link DVX-2000MS contains hard-coded credentials for undocumented user accounts in the '/etc/passwd' file. As weak passwords have been used, the plaintext passwords can be recovered from the hash values. | |||||
| CVE-2021-39613 | 1 Dlink | 2 Dvg-3104ms, Dvg-3104ms Firmware | 2021-08-30 | 5.0 MEDIUM | 9.8 CRITICAL |
| ** UNSUPPORTED WHEN ASSIGNED ** D-Link DVG-3104MS version 1.0.2.0.3, 1.0.2.0.4, and 1.0.2.0.4E contains hard-coded credentials for undocumented user accounts in the '/etc/passwd' file. As weak passwords have been used, the plaintext passwords can be recovered from the hash values. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2021-29295 | 1 Dlink | 2 Dsp-w215, Dsp-w215 Firmware | 2021-08-17 | 5.0 MEDIUM | 7.5 HIGH |
| ** UNSUPPORTED WHEN ASSIGNED **Null Pointer Dereference vulnerability exists in D-Link DSP-W215 1.10, which could let a remote malicious user cause a denial of servie via usr/bin/lighttpd. It could be triggered by sending an HTTP request without URL in the start line directly to the device. NOTE: The DSP-W215 and all hardware revisions is considered End of Life and as such this issue will not be patched. | |||||
| CVE-2021-29296 | 1 Dlink | 2 Dir-825, Dir-825 Firmware | 2021-08-17 | 5.0 MEDIUM | 7.5 HIGH |
| ** UNSUPPORTED WHEN ASSIGNED **Null Pointer Dereference vulnerability in D-Link DIR-825 2.10b02, which could let a remote malicious user cause a denial of service. The vulnerability could be triggered by sending an HTTP request with URL /vct_wan; the sbin/httpd would invoke the strchr function and take NULL as a first argument, which finally leads to the segmentation fault. NOTE: The DIR-825 and all hardware revisions is considered End of Life and as such this issue will not be patched. | |||||
| CVE-2021-29294 | 1 Dlink | 2 Dsl-2740r, Dsl-2740r Firmware | 2021-08-17 | 5.0 MEDIUM | 7.5 HIGH |
| ** UNSUPPORTED WHEN ASSIGNED ** Null Pointer Dereference vulnerability exists in D-Link DSL-2740R UK_1.01, which could let a remove malicious user cause a denial of service via the send_hnap_unauthorized function. It could be triggered by sending crafted POST request to /HNAP1/. NOTE: The DSL-2740R and all hardware revisions are considered End of Life and as such this issue will not be patched. | |||||
| CVE-2021-28840 | 1 Dlink | 18 Dap-2310, Dap-2310 Firmware, Dap-2330 and 15 more | 2021-08-17 | 5.0 MEDIUM | 7.5 HIGH |
| Null Pointer Dereference vulnerability exists in D-Link DAP-2310 2.07.RC031, DAP-2330 1.07.RC028, DAP-2360 2.07.RC043, DAP-2553 3.06.RC027, DAP-2660 1.13.RC074, DAP-2690 3.16.RC100, DAP-2695 1.17.RC063, DAP-3320 1.01.RC014 and DAP-3662 1.01.RC022 in the upload_config function of sbin/httpd binary. When the binary handle the specific HTTP GET request, the content in upload_file variable is NULL in the upload_config function then the strncasecmp would take NULL as first argument, and incur the NULL pointer dereference vulnerability. | |||||
| CVE-2021-28839 | 1 Dlink | 18 Dap-2310, Dap-2310 Firmware, Dap-2330 and 15 more | 2021-08-17 | 5.0 MEDIUM | 7.5 HIGH |
| Null Pointer Dereference vulnerability exists in D-Link DAP-2310 2.07.RC031, DAP-2330 1.07.RC028, DAP-2360 2.07.RC043, DAP-2553 3.06.RC027, DAP-2660 1.13.RC074, DAP-2690 3.16.RC100, DAP-2695 1.17.RC063, DAP-3320 1.01.RC014 and DAP-3662 1.01.RC022 in the upload_certificate function of sbin/httpd binary. When the binary handle the specific HTTP GET request, the strrchr in the upload_certificate function would take NULL as first argument, and incur the NULL pointer dereference vulnerability. | |||||
| CVE-2021-28838 | 1 Dlink | 18 Dap-2310, Dap-2310 Firmware, Dap-2330 and 15 more | 2021-08-17 | 5.0 MEDIUM | 7.5 HIGH |
| Null pointer dereference vulnerability in D-Link DAP-2310 2,10RC039, DAP-2330 1.10RC036 BETA, DAP-2360 2.10RC055, DAP-2553 3.10rc039 BETA, DAP-2660 1.15rc131b, DAP-2690 3.20RC115 BETA, DAP-2695 1.20RC093, DAP-3320 1.05RC027 BETA and DAP-3662 1.05rc069 in the sbin/httpd binary. The crash happens at the `atoi' operation when a specific network package are sent to the httpd binary. | |||||
| CVE-2021-37388 | 1 Dlink | 2 Dir-615, Dir-615 Firmware | 2021-08-13 | 7.5 HIGH | 9.8 CRITICAL |
| A buffer overflow in D-Link DIR-615 C2 3.03WW. The ping_ipaddr parameter in ping_response.cgi POST request allows an attacker to crash the webserver and might even gain remote code execution. | |||||
| CVE-2020-9376 | 1 Dlink | 2 Dir-610, Dir-610 Firmware | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| ** UNSUPPORTED WHEN ASSIGNED ** D-Link DIR-610 devices allow Information Disclosure via SERVICES=DEVICE.ACCOUNT%0AAUTHORIZED_GROUP=1 to getcfg.php. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2020-9377 | 1 Dlink | 2 Dir-610, Dir-610 Firmware | 2021-07-21 | 6.5 MEDIUM | 8.8 HIGH |
| ** UNSUPPORTED WHEN ASSIGNED ** D-Link DIR-610 devices allow Remote Command Execution via the cmd parameter to command.php. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2020-9275 | 1 Dlink | 2 Dsl-2640b, Dsl-2640b Firmware | 2021-07-21 | 5.0 MEDIUM | 9.8 CRITICAL |
| An issue was discovered on D-Link DSL-2640B B2 EU_4.01B devices. A cfm UDP service listening on port 65002 allows remote, unauthenticated exfiltration of administrative credentials. | |||||
| CVE-2020-9278 | 1 Dlink | 2 Dsl-2640b, Dsl-2640b Firmware | 2021-07-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| An issue was discovered on D-Link DSL-2640B B2 EU_4.01B devices. The device can be reset to its default configuration by accessing an unauthenticated URL. | |||||
| CVE-2020-26582 | 1 Dlink | 2 Dap-1360u, Dap-1360u Firmware | 2021-07-21 | 9.0 HIGH | 8.8 HIGH |
| D-Link DAP-1360U before 3.0.1 devices allow remote authenticated users to execute arbitrary commands via shell metacharacters in the IP JSON value for ping (aka res_config_action=3&res_config_id=18). | |||||
| CVE-2020-25759 | 1 Dlink | 20 Dsr-1000, Dsr-1000 Firmware, Dsr-1000ac and 17 more | 2021-07-21 | 9.0 HIGH | 8.8 HIGH |
| An issue was discovered on D-Link DSR-250 3.17 devices. Certain functionality in the Unified Services Router web interface could allow an authenticated attacker to execute arbitrary commands, due to a lack of validation of inputs provided in multipart HTTP POST requests. | |||||
| CVE-2019-19743 | 1 Dlink | 2 Dir-615 T1, Dir-615 T1 Firmware | 2021-07-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| On D-Link DIR-615 devices, a normal user is able to create a root(admin) user from the D-Link portal. | |||||
| CVE-2020-25757 | 1 Dlink | 20 Dsr-1000, Dsr-1000 Firmware, Dsr-1000ac and 17 more | 2021-07-21 | 8.3 HIGH | 8.8 HIGH |
| A lack of input validation and access controls in Lua CGIs on D-Link DSR VPN routers may result in arbitrary input being passed to system command APIs, resulting in arbitrary command execution with root privileges. This affects DSR-150, DSR-250, DSR-500, and DSR-1000AC with firmware 3.14 and 3.17. | |||||
| CVE-2020-25506 | 1 Dlink | 2 Dns-320, Dns-320 Firmware | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| D-Link DNS-320 FW v2.06B01 Revision Ax is affected by command injection in the system_mgr.cgi component, which can lead to remote arbitrary code execution. | |||||