Filtered by vendor D-link
Subscribe
Total
279 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2019-13263 | 1 D-link | 2 Dir-825\/ac G1, Dir-825\/ac G1 Firmware | 2020-08-24 | 5.8 MEDIUM | 8.8 HIGH |
D-link DIR-825AC G1 devices have Insufficient Compartmentalization between a host network and a guest network that are established by the same device. A DHCP Request is sent to the router with a certain Transaction ID field. Following the DHCP protocol, the router responds with an ACK or NAK message. Studying the NAK case revealed that the router erroneously sends the NAK to both Host and Guest networks with the same Transaction ID as found in the DHCP Request. This allows encoding of data to be sent cross-router into the 32-bit Transaction ID field. | |||||
CVE-2019-19225 | 1 D-link | 2 Dsl-2680, Dsl-2680 Firmware | 2020-08-24 | 5.0 MEDIUM | 7.5 HIGH |
A Broken Access Control vulnerability in the D-Link DSL-2680 web administration interface (Firmware EU_1.03) allows an attacker to change DNS servers without being authenticated on the admin interface by submitting a crafted Forms/dns_1 POST request. | |||||
CVE-2019-9126 | 1 D-link | 2 Dir-825 Rev.b, Dir-825 Rev.b Firmware | 2020-08-24 | 5.0 MEDIUM | 7.5 HIGH |
An issue was discovered on D-Link DIR-825 Rev.B 2.10 devices. There is an information disclosure vulnerability via requests for the router_info.xml document. This will reveal the PIN code, MAC address, routing table, firmware version, update time, QOS information, LAN information, and WLAN information of the device. | |||||
CVE-2018-18767 | 1 D-link | 3 Dcs-825l, Dcs-825l Firmware, Mydlink Baby Camera Monitor | 2020-08-24 | 1.9 LOW | 7.0 HIGH |
An issue was discovered in D-Link 'myDlink Baby App' version 2.04.06. Whenever actions are performed from the app (e.g., change camera settings or play lullabies), it communicates directly with the Wi-Fi camera (D-Link 825L firmware 1.08) with the credentials (username and password) in base64 cleartext. An attacker could conduct an MitM attack on the local network and very easily obtain these credentials. | |||||
CVE-2018-20056 | 1 D-link | 4 Dir-605l, Dir-605l Firmware, Dir-619l and 1 more | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
An issue was discovered in /bin/boa on D-Link DIR-619L Rev.B 2.06B1 and DIR-605L Rev.B 2.12B1 devices. There is a stack-based buffer overflow allowing remote attackers to execute arbitrary code without authentication via the goform/formLanguageChange currTime parameter. | |||||
CVE-2018-17067 | 1 D-link | 2 Dir-816 A2, Dir-816 A2 Firmware | 2020-08-24 | 10.0 HIGH | 9.8 CRITICAL |
An issue was discovered on D-Link DIR-816 A2 1.10 B05 devices. A very long password to /goform/formLogin could lead to a stack-based buffer overflow and overwrite the return address. | |||||
CVE-2018-18442 | 1 D-link | 2 Dcs-825l, Dcs-825l Firmware | 2020-08-24 | 7.8 HIGH | 7.5 HIGH |
D-Link DCS-825L devices with firmware 1.08 do not employ a suitable mechanism to prevent denial-of-service (DoS) attacks. An attacker can harm the device availability (i.e., live-online video/audio streaming) by using the hping3 tool to perform an IPv4 flood attack. Verified attacks includes SYN flooding, UDP flooding, ICMP flooding, and SYN-ACK flooding. | |||||
CVE-2018-16408 | 1 D-link | 2 Dir-846, Dir-846 Firmware | 2020-08-24 | 9.0 HIGH | 7.2 HIGH |
D-Link DIR-846 devices with firmware 100.26 allow remote attackers to execute arbitrary code as root via a SetNetworkTomographySettings request by leveraging admin access. | |||||
CVE-2020-15633 | 1 D-link | 6 Dir-867, Dir-867 Firmware, Dir-878 and 3 more | 2020-07-28 | 5.8 MEDIUM | 8.8 HIGH |
This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DIR-867, DIR-878, and DIR-882 routers with firmware 1.20B10_BETA. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of HNAP requests. The issue results from incorrect string matching logic when accessing protected pages. An attacker can leverage this vulnerability to escalate privileges and execute code in the context of the router. Was ZDI-CAN-10835. | |||||
CVE-2020-15893 | 1 D-link | 2 Dir-816l, Dir-816l Firmware | 2020-07-24 | 7.5 HIGH | 9.8 CRITICAL |
An issue was discovered on D-Link DIR-816L devices 2.x before 1.10b04Beta02. Universal Plug and Play (UPnP) is enabled by default on port 1900. An attacker can perform command injection by injecting a payload into the Search Target (ST) field of the SSDP M-SEARCH discover packet. | |||||
CVE-2020-15895 | 1 D-link | 2 Dir-816l, Dir-816l Firmware | 2020-07-24 | 4.3 MEDIUM | 6.1 MEDIUM |
An XSS issue was discovered on D-Link DIR-816L devices 2.x before 1.10b04Beta02. In the file webinc/js/info.php, no output filtration is applied to the RESULT parameter, before it's printed on the webpage. | |||||
CVE-2019-20499 | 1 D-link | 2 Dwl-2600ap, Dwl-2600ap Firmware | 2020-03-28 | 7.2 HIGH | 7.8 HIGH |
D-Link DWL-2600AP 4.2.0.15 Rev A devices have an authenticated OS command injection vulnerability via the Restore Configuration functionality in the Web interface, using shell metacharacters in the admin.cgi?action=config_restore configRestore or configServerip parameter. | |||||
CVE-2019-20500 | 1 D-link | 2 Dwl-2600ap, Dwl-2600ap Firmware | 2020-03-06 | 7.2 HIGH | 7.8 HIGH |
D-Link DWL-2600AP 4.2.0.15 Rev A devices have an authenticated OS command injection vulnerability via the Save Configuration functionality in the Web interface, using shell metacharacters in the admin.cgi?action=config_save configBackup or downloadServerip parameter. | |||||
CVE-2019-20501 | 1 D-link | 2 Dwl-2600ap, Dwl-2600ap Firmware | 2020-03-06 | 7.2 HIGH | 7.8 HIGH |
D-Link DWL-2600AP 4.2.0.15 Rev A devices have an authenticated OS command injection vulnerability via the Upgrade Firmware functionality in the Web interface, using shell metacharacters in the admin.cgi?action=upgrade firmwareRestore or firmwareServerip parameter. | |||||
CVE-2012-6614 | 1 D-link | 2 Dsr-250n, Dsr-250n Firmware | 2020-03-05 | 9.0 HIGH | 7.2 HIGH |
D-Link DSR-250N devices before 1.08B31 allow remote authenticated users to obtain "persistent root access" via the BusyBox CLI, as demonstrated by overwriting the super user password. | |||||
CVE-2019-19222 | 1 D-link | 2 Dsl-2680, Dsl-2680 Firmware | 2020-03-04 | 3.5 LOW | 5.4 MEDIUM |
A Stored XSS issue in the D-Link DSL-2680 web administration interface (Firmware EU_1.03) allows an authenticated attacker to inject arbitrary JavaScript code into the info.html administration page by sending a crafted Forms/wireless_autonetwork_1 POST request. | |||||
CVE-2019-19223 | 1 D-link | 2 Dsl-2680, Dsl-2680 Firmware | 2020-03-04 | 7.8 HIGH | 7.5 HIGH |
A Broken Access Control vulnerability in the D-Link DSL-2680 web administration interface (Firmware EU_1.03) allows an attacker to reboot the router by submitting a reboot.html GET request without being authenticated on the admin interface. | |||||
CVE-2020-9535 | 1 D-link | 2 Dir-615jx10, Dir-615jx10 Firmware | 2020-03-04 | 6.5 MEDIUM | 8.8 HIGH |
fmwlan.c on D-Link DIR-615Jx10 devices has a stack-based buffer overflow via the formWlanSetup_Wizard webpage parameter when f_radius_ip1 is malformed. | |||||
CVE-2020-9534 | 1 D-link | 2 Dir-615jx10, Dir-615jx10 Firmware | 2020-03-03 | 6.5 MEDIUM | 8.8 HIGH |
fmwlan.c on D-Link DIR-615Jx10 devices has a stack-based buffer overflow via the formWlanSetup webpage parameter when f_radius_ip1 is malformed. | |||||
CVE-2020-6841 | 1 D-link | 2 Dch-m225, Dch-m225 Firmware | 2020-02-25 | 10.0 HIGH | 9.8 CRITICAL |
D-Link DCH-M225 1.05b01 and earlier devices allow remote attackers to execute arbitrary OS commands via shell metacharacters in the spotifyConnect.php userName parameter. |