CVE-2017-7852 – D-Link DCS Series Cameras - Insecure Crossdomain

https://notcve.org/view.php?id=CVE-2017-7852

24 Apr 2017 — D-Link DCS cameras have a weak/insecure CrossDomain.XML file that allows sites hosting malicious Flash objects to access and/or change the device's settings via a CSRF attack. This is because of the 'allow-access-from domain' child element set to *, thus accepting requests from any domain. If a victim logged into the camera's web console visits a malicious site hosting a malicious Flash file from another Browser tab, the malicious Flash file then can send requests to the victim's DCS series Camera without k... • https://packetstorm.news/files/id/142702 • CWE-352: Cross-Site Request Forgery (CSRF) •