CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-5299 – D-Link D-View execMonitorScript Exposed Dangerous Method Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2024-5299
23 May 2024 — D-Link D-View execMonitorScript Exposed Dangerous Method Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of D-Link D-View. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the execMonitorScript method. The issue results from an exposed dangerous method. • https://www.zerodayinitiative.com/advisories/ZDI-24-450 • CWE-749: Exposed Dangerous Method or Function •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-5298 – D-Link D-View queryDeviceCustomMonitorResult Exposed Dangerous Method Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2024-5298
23 May 2024 — D-Link D-View queryDeviceCustomMonitorResult Exposed Dangerous Method Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of D-Link D-View. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the queryDeviceCustomMonitorResult method. The issue results from an exposed dangerous method. • https://www.zerodayinitiative.com/advisories/ZDI-24-449 • CWE-749: Exposed Dangerous Method or Function •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-5297 – D-Link D-View executeWmicCmd Command Injection Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2024-5297
23 May 2024 — D-Link D-View executeWmicCmd Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of D-Link D-View. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the executeWmicCmd method. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. • https://www.zerodayinitiative.com/advisories/ZDI-24-448 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-5296 – D-Link D-View Use of Hard-coded Cryptographic Key Authentication Bypass Vulnerability
https://notcve.org/view.php?id=CVE-2024-5296
23 May 2024 — D-Link D-View Use of Hard-coded Cryptographic Key Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of D-Link D-View. Authentication is not required to exploit this vulnerability. The specific flaw exists within the TokenUtils class. The issue results from a hard-coded cryptographic key. • https://www.zerodayinitiative.com/advisories/ZDI-24-447 • CWE-321: Use of Hard-coded Cryptographic Key •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-44412 – D-Link D-View addDv7Probe XML External Entity Processing Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2023-44412
04 Oct 2023 — D-Link D-View addDv7Probe XML External Entity Processing Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of D-Link D-View. Authentication is not required to exploit this vulnerability. The specific flaw exists within the addDv7Probe function. Due to the improper restriction of XML External Entity (XXE) references, a crafted document specifying a URI causes the XML parser to access the URI and embed the contents back... • https://www.zerodayinitiative.com/advisories/ZDI-23-1510 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2023-44413 – D-Link D-View shutdown_coreserver Missing Authentication Denial-of-Service Vulnerability
https://notcve.org/view.php?id=CVE-2023-44413
04 Oct 2023 — D-Link D-View shutdown_coreserver Missing Authentication Denial-of-Service Vulnerability. This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of D-Link D-View. Authentication is not required to exploit this vulnerability. The specific flaw exists within the shutdown_coreserver action. The issue results from the lack of authentication prior to allowing access to functionality. • https://www.zerodayinitiative.com/advisories/ZDI-23-1511 • CWE-306: Missing Authentication for Critical Function •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-44410 – D-Link D-View showUsers Improper Authorization Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2023-44410
04 Oct 2023 — D-Link D-View showUsers Improper Authorization Privilege Escalation Vulnerability. This vulnerability allows remote attackers to escalate privileges on affected installations of D-Link D-View. Authentication is required to exploit this vulnerability. The specific flaw exists within the showUsers method. The issue results from the lack of proper authorization before accessing a privileged endpoint. • https://www.zerodayinitiative.com/advisories/ZDI-23-1508 • CWE-285: Improper Authorization •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-44414 – D-Link D-View coreservice_action_script Exposed Dangerous Function Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2023-44414
04 Oct 2023 — D-Link D-View coreservice_action_script Exposed Dangerous Function Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of D-Link D-View. Authentication is not required to exploit this vulnerability. The specific flaw exists within the coreservice_action_script action. The issue results from the exposure of a dangerous function. • https://www.zerodayinitiative.com/advisories/ZDI-23-1512 • CWE-749: Exposed Dangerous Method or Function •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-32164 – D-Link D-View TftpSendFileThread Directory Traversal Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2023-32164
24 May 2023 — D-Link D-View TftpSendFileThread Directory Traversal Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of D-Link D-View. Authentication is not required to exploit this vulnerability. The specific flaw exists within the TftpSendFileThread class. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. • https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10332 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.7EPSS: 0%CPEs: 1EXPL: 0CVE-2023-32167 – D-Link D-View uploadMib Directory Traversal Arbitrary File Creation or Deletion Vulnerability
https://notcve.org/view.php?id=CVE-2023-32167
24 May 2023 — D-Link D-View uploadMib Directory Traversal Arbitrary File Creation or Deletion Vulnerability. This vulnerability allows remote attackers to create and delete arbitrary files on affected installations of D-Link D-View. Authentication is required to exploit this vulnerability. The specific flaw exists within the uploadMib function. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. • https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10332 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •