Filtered by vendor D-link
Subscribe
Total
279 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2018-17786 | 1 D-link | 2 Dir-823g, Dir-823g Firmware | 2019-10-02 | 7.5 HIGH | 9.8 CRITICAL |
On D-Link DIR-823G devices, ExportSettings.sh, upload_settings.cgi, GetDownLoadSyslog.sh, and upload_firmware.cgi do not require authentication, which allows remote attackers to execute arbitrary code. | |||||
CVE-2018-17787 | 1 D-link | 2 Dir-823g, Dir-823g Firmware | 2019-10-02 | 7.5 HIGH | 9.8 CRITICAL |
On D-Link DIR-823G devices, the GoAhead configuration allows /HNAP1 Command Injection via shell metacharacters in the POST data, because this data is sent directly to the "system" library function. | |||||
CVE-2018-19986 | 1 D-link | 4 Dir-818lw, Dir-818lw Firmware, Dir-822 and 1 more | 2019-10-02 | 10.0 HIGH | 9.8 CRITICAL |
In the /HNAP1/SetRouterSettings message, the RemotePort parameter is vulnerable, and the vulnerability affects D-Link DIR-818LW Rev.A 2.05.B03 and DIR-822 B1 202KRb06 devices. In the SetRouterSettings.php source code, the RemotePort parameter is saved in the $path_inf_wan1."/web" internal configuration memory without any regex checking. And in the IPTWAN_build_command function of the iptwan.php source code, the data in $path_inf_wan1."/web" is used with the iptables command without any regex checking. A vulnerable /HNAP1/SetRouterSettings XML message could have shell metacharacters in the RemotePort element such as the `telnetd` string. | |||||
CVE-2018-19987 | 1 D-link | 12 Dir-818lw, Dir-818lw Firmware, Dir-822 and 9 more | 2019-10-02 | 10.0 HIGH | 9.8 CRITICAL |
D-Link DIR-822 Rev.B 202KRb06, DIR-822 Rev.C 3.10B06, DIR-860L Rev.B 2.03.B03, DIR-868L Rev.B 2.05B02, DIR-880L Rev.A 1.20B01_01_i3se_BETA, and DIR-890L Rev.A 1.21B02_BETA devices mishandle IsAccessPoint in /HNAP1/SetAccessPointMode. In the SetAccessPointMode.php source code, the IsAccessPoint parameter is saved in the ShellPath script file without any regex checking. After the script file is executed, the command injection occurs. A vulnerable /HNAP1/SetAccessPointMode XML message could have shell metacharacters in the IsAccessPoint element such as the `telnetd` string. | |||||
CVE-2018-19989 | 1 D-link | 2 Dir-822, Dir-822 Firmware | 2019-10-02 | 10.0 HIGH | 9.8 CRITICAL |
In the /HNAP1/SetQoSSettings message, the uplink parameter is vulnerable, and the vulnerability affects D-Link DIR-822 Rev.B 202KRb06 and DIR-822 Rev.C 3.10B06 devices. In the SetQoSSettings.php source code, the uplink parameter is saved in the /bwc/entry:1/bandwidth and /bwc/entry:2/bandwidth internal configuration memory without any regex checking. And in the bwc_tc_spq_start, bwc_tc_wfq_start, and bwc_tc_adb_start functions of the bwcsvcs.php source code, the data in /bwc/entry:1/bandwidth and /bwc/entry:2/bandwidth is used with the tc command without any regex checking. A vulnerable /HNAP1/SetQoSSettings XML message could have shell metacharacters in the uplink element such as the `telnetd` string. | |||||
CVE-2017-8408 | 1 D-link | 2 Dcs-1130, Dcs-1130 Firmware | 2019-07-08 | 10.0 HIGH | 9.8 CRITICAL |
An issue was discovered on D-Link DCS-1130 devices. The device provides a user with the capability of setting a SMB folder for the video clippings recorded by the device. It seems that the GET parameters passed in this request (to test if SMB credentials and hostname sent to the device work properly) result in being passed as commands to a "system" API in the function and thus result in command injection on the device. If the firmware version is dissected using binwalk tool, we obtain a cramfs-root archive which contains the filesystem set up on the device that contains all the binaries. The binary "cgibox" is the one that has the vulnerable function "sub_7EAFC" that receives the values sent by the GET request. If we open this binary in IDA-pro we will notice that this follows a ARM little endian format. The function sub_7EAFC in IDA pro is identified to be receiving the values sent in the GET request and the value set in GET parameter "user" is extracted in function sub_7E49C which is then passed to the vulnerable system API call. | |||||
CVE-2018-19300 | 1 D-link | 16 Dap-1530, Dap-1530 Firmware, Dap-1610 and 13 more | 2019-04-12 | 10.0 HIGH | 9.8 CRITICAL |
On D-Link DAP-1530 (A1) before firmware version 1.06b01, DAP-1610 (A1) before firmware version 1.06b01, DWR-111 (A1) before firmware version 1.02v02, DWR-116 (A1) before firmware version 1.06b03, DWR-512 (B1) before firmware version 2.02b01, DWR-711 (A1) through firmware version 1.11, DWR-712 (B1) before firmware version 2.04b01, DWR-921 (A1) before firmware version 1.02b01, and DWR-921 (B1) before firmware version 2.03b01, there exists an EXCU_SHELL file in the web directory. By sending a GET request with specially crafted headers to the /EXCU_SHELL URI, an attacker could execute arbitrary shell commands in the root context on the affected device. Other devices might be affected as well. | |||||
CVE-2014-7859 | 1 D-link | 10 Dnr-320l, Dnr-320l Firmware, Dnr-326 and 7 more | 2019-03-19 | 7.5 HIGH | 9.8 CRITICAL |
Stack-based buffer overflow in login_mgr.cgi in D-Link firmware DNR-320L and DNS-320LW before 1.04b08, DNR-322L before 2.10 build 03, DNR-326 before 2.10 build 03, and DNS-327L before 1.04b01 allows remote attackers to execute arbitrary code by crafting malformed "Host" and "Referer" header values. | |||||
CVE-2018-15516 | 1 D-link | 1 Central Wifimanager | 2019-02-22 | 3.5 LOW | 5.8 MEDIUM |
The FTP service on D-Link Central WiFiManager CWM-100 1.03 r0098 devices allows remote attackers to conduct a PORT command bounce scan via port 8000, resulting in SSRF. | |||||
CVE-2018-15517 | 1 D-link | 1 Central Wifimanager | 2019-02-21 | 5.0 MEDIUM | 8.6 HIGH |
The MailConnect feature on D-Link Central WiFiManager CWM-100 1.03 r0098 devices is intended to check a connection to an SMTP server but actually allows outbound TCP to any port on any IP address, leading to SSRF, as demonstrated by an index.php/System/MailConnect/host/127.0.0.1/port/22/secure/ URI. | |||||
CVE-2019-7297 | 1 D-link | 2 Dir-823g, Dir-823g Firmware | 2019-02-19 | 10.0 HIGH | 9.8 CRITICAL |
An issue was discovered on D-Link DIR-823G devices with firmware through 1.02B03. A command Injection vulnerability allows attackers to execute arbitrary OS commands via shell metacharacters in a crafted /HNAP1 request. This occurs when the GetNetworkTomographyResult function calls the system function with an untrusted input parameter named Address. Consequently, an attacker can execute any command remotely when they control this input. | |||||
CVE-2018-18441 | 1 D-link | 36 Dcs-2102, Dcs-2102 Firmware, Dcs-2121 and 33 more | 2019-02-13 | 5.0 MEDIUM | 7.5 HIGH |
D-Link DCS series Wi-Fi cameras expose sensitive information regarding the device configuration. The affected devices include many of DCS series, such as: DCS-936L, DCS-942L, DCS-8000LH, DCS-942LB1, DCS-5222L, DCS-825L, DCS-2630L, DCS-820L, DCS-855L, DCS-2121, DCS-5222LB1, DCS-5020L, and many more. There are many affected firmware versions starting from 1.00 and above. The configuration file can be accessed remotely through: <Camera-IP>/common/info.cgi, with no authentication. The configuration file include the following fields: model, product, brand, version, build, hw_version, nipca version, device name, location, MAC address, IP address, gateway IP address, wireless status, input/output settings, speaker, and sensor settings. | |||||
CVE-2018-10822 | 1 D-link | 16 Dir-140l, Dir-140l Firmware, Dir-640l and 13 more | 2019-01-23 | 5.0 MEDIUM | 7.5 HIGH |
Directory traversal vulnerability in the web interface on D-Link DWR-116 through 1.06, DIR-140L through 1.02, DIR-640L through 1.02, DWR-512 through 2.02, DWR-712 through 2.02, DWR-912 through 2.02, DWR-921 through 2.02, and DWR-111 through 1.01 devices allows remote attackers to read arbitrary files via a /.. or // after "GET /uir" in an HTTP request. NOTE: this vulnerability exists because of an incorrect fix for CVE-2017-6190. | |||||
CVE-2018-14080 | 1 D-link | 4 Dir-809, Dir-809 A1 Firmware, Dir-809 A2 Firmware and 1 more | 2019-01-10 | 5.0 MEDIUM | 7.5 HIGH |
An issue was discovered on D-Link DIR-809 A1 through 1.09, A2 through 1.11, and Guest Zone through 1.09 devices. One can bypass authentication mechanisms to download the configuration file. | |||||
CVE-2018-20057 | 1 D-link | 4 Dir-605l, Dir-605l Firmware, Dir-619l and 1 more | 2018-12-31 | 9.0 HIGH | 8.8 HIGH |
An issue was discovered in /bin/boa on D-Link DIR-619L Rev.B 2.06B1 and DIR-605L Rev.B 2.12B1 devices. goform/formSysCmd allows remote authenticated users to execute arbitrary OS commands via the sysCmd POST parameter. | |||||
CVE-2018-17881 | 1 D-link | 2 Dir-823g, Dir-823g Firmware | 2018-12-17 | 5.0 MEDIUM | 9.8 CRITICAL |
On D-Link DIR-823G 2018-09-19 devices, the GoAhead configuration allows /HNAP1 SetPasswdSettings commands without authentication to trigger an admin password change. | |||||
CVE-2018-18636 | 1 D-link | 2 Dsl-2640t, Dsl-2640t Firmware | 2018-12-04 | 4.3 MEDIUM | 6.1 MEDIUM |
XSS exists in cgi-bin/webcm on D-link DSL-2640T routers via the var:RelaodHref or var:conid parameter. | |||||
CVE-2018-17440 | 1 D-link | 1 Central Wifimanager | 2018-11-23 | 7.5 HIGH | 9.8 CRITICAL |
An issue was discovered on D-Link Central WiFi Manager before v 1.03r0100-Beta1. They expose an FTP server that serves by default on port 9000 and has hardcoded credentials (admin, admin). Taking advantage of this, a remote unauthenticated attacker could execute arbitrary PHP code by uploading any file in the web root directory and then accessing it via a request. | |||||
CVE-2018-17442 | 1 D-link | 1 Central Wifimanager | 2018-11-23 | 6.5 MEDIUM | 8.8 HIGH |
An issue was discovered on D-Link Central WiFi Manager before v 1.03r0100-Beta1. An unrestricted file upload vulnerability in the onUploadLogPic endpoint allows remote authenticated users to execute arbitrary PHP code. | |||||
CVE-2018-17443 | 1 D-link | 1 Central Wifimanager | 2018-11-23 | 4.3 MEDIUM | 6.1 MEDIUM |
An issue was discovered on D-Link Central WiFi Manager before v 1.03r0100-Beta1. The 'sitename' parameter of the UpdateSite endpoint is vulnerable to stored XSS. |