CVE-2024-0717 – D-Link Good Line Router v2 HTTP GET Request devinfo information disclosure
https://notcve.org/view.php?id=CVE-2024-0717
A vulnerability classified as critical was found in D-Link DAP-1360, DIR-300, DIR-615, DIR-615GF, DIR-615S, DIR-615T, DIR-620, DIR-620S, DIR-806A, DIR-815, DIR-815AC, DIR-815S, DIR-816, DIR-820, DIR-822, DIR-825, DIR-825AC, DIR-825ACF, DIR-825ACG1, DIR-841, DIR-842, DIR-842S, DIR-843, DIR-853, DIR-878, DIR-882, DIR-1210, DIR-1260, DIR-2150, DIR-X1530, DIR-X1860, DSL-224, DSL-245GR, DSL-2640U, DSL-2750U, DSL-G2452GR, DVG-5402G, DVG-5402G, DVG-5402GFRU, DVG-N5402G, DVG-N5402G-IL, DWM-312W, DWM-321, DWR-921, DWR-953 and Good Line Router v2 up to 20240112. This vulnerability affects unknown code of the file /devinfo of the component HTTP GET Request Handler. The manipulation of the argument area with the input notice|net|version leads to information disclosure. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. • https://github.com/999zzzzz/D-Link https://vuldb.com/?ctiid.251542 https://vuldb.com/?id.251542 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2021-44127
https://notcve.org/view.php?id=CVE-2021-44127
In DLink DAP-1360 F1 firmware version <=v6.10 in the "webupg" binary, an attacker can use the "file" parameter to execute arbitrary system commands when the parameter is "name=deleteFile" after being authorized. En la versión de firmware DLink DAP-1360 F1 anteriores a v6.10 incluyéndola, en el binario "webupg", un atacante puede usar el parámetro "file" para ejecutar comandos arbitrarios del sistema cuando el parámetro es "name=deleteFile" después de ser autorizado • https://github.com/tgp-top/DAP-1360/blob/main/README.md https://www.dlink.com/en/security-bulletin •
CVE-2019-18666
https://notcve.org/view.php?id=CVE-2019-18666
An issue was discovered on D-Link DAP-1360 revision F devices. Remote attackers can start a telnet service without authorization via an undocumented HTTP request. Although this is the primary vulnerability, the impact depends on the firmware version. Versions 609EU through 613EUbeta were tested. Versions through 6.12b01 have weak root credentials, allowing an attacker to gain remote root access. • http://c1a.eu/dlink-dap-1360.html https://daschloer.github.io/sec/dlink-dap-1360.html https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10171 • CWE-306: Missing Authentication for Critical Function •
CVE-2014-10027
https://notcve.org/view.php?id=CVE-2014-10027
Multiple cross-site request forgery (CSRF) vulnerabilities in D-Link DAP-1360 router with firmware 2.5.4 and earlier allow remote attackers to hijack the authentication of unspecified users for requests that (1) change the MAC filter restrict mode, (2) add a MAC address to the filter, or (3) remove a MAC address from the filter via a crafted request to index.cgi. Múltiples vulnerabilidades de CSRF en el router D-Link DAP-1360 con firmware 2.5.4 y anteruiores permiten a atacantes remotos secuestrar la autenticación de usuarios no especificados para solicitudes que (1) cambian el modo de restricción del filtro MAC, (2) añaden una dirección MAC al filtro, o (3) eliminan una dirección MAC del filtro a través de una solicitud manipulada a index.cgi. • http://seclists.org/fulldisclosure/2014/Nov/100 http://websecurity.com.ua/7215 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2014-10028
https://notcve.org/view.php?id=CVE-2014-10028
Cross-site scripting (XSS) vulnerability in D-Link DAP-1360 router with firmware 2.5.4 and later allows remote attackers to inject arbitrary web script or HTML via the res_buf parameter to index.cgi when res_config_id is set to 41. Vulnerabilidad de XSS en el router D-Link DAP-1360 con firmware 2.5.4 y posteriores permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro res_buf parameter en index.cgi cuando res_config_id está configurado a 41. • http://seclists.org/fulldisclosure/2014/Nov/100 http://websecurity.com.ua/7215 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •