CVE-2019-9124
https://notcve.org/view.php?id=CVE-2019-9124
An issue was discovered on D-Link DIR-878 1.12B01 devices. At the /HNAP1 URI, an attacker can log in with a blank password. Se ha descubierto un problema en dispositivos D-Link DIR-878 1.12B01. En el URI /HNAP1, un atacante puede iniciar sesión con una contraseña en blanco. • https://github.com/WhooAmii/whooamii.github.io/blob/master/2018/DIR-878/blankpassword.md • CWE-287: Improper Authentication •
CVE-2019-7297
https://notcve.org/view.php?id=CVE-2019-7297
An issue was discovered on D-Link DIR-823G devices with firmware through 1.02B03. A command Injection vulnerability allows attackers to execute arbitrary OS commands via shell metacharacters in a crafted /HNAP1 request. This occurs when the GetNetworkTomographyResult function calls the system function with an untrusted input parameter named Address. Consequently, an attacker can execute any command remotely when they control this input. Se ha descubierto un problema en dispositivos D-Link DIR-823G con firmware hasta la versión 1.02B03. • http://www.securityfocus.com/bid/106815 https://github.com/leonW7/D-Link/blob/master/Vul_1.md • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVE-2018-20389
https://notcve.org/view.php?id=CVE-2018-20389
D-Link DCM-604 DCM604_C1_ViaCabo_1.04_20130606 and DCM-704 EU_DCM-704_1.10 devices allow remote attackers to discover credentials via iso.3.6.1.4.1.4491.2.4.1.1.6.1.1.0 and iso.3.6.1.4.1.4491.2.4.1.1.6.1.2.0 SNMP requests. Los dispositivos D-Link DCM-604 DCM604_C1_ViaCabo_1.04_20130606 y DCM-704 EU_DCM-704_1.10 permiten que atacantes remotos descubran credenciales mediante peticiones SNMP iso.3.6.1.4.1.4491.2.4.1.1.6.1.1.0 e iso.3.6.1.4.1.4491.2.4.1.1.6.1.2.0. • https://github.com/ezelf/sensitivesOids/blob/master/oidpassswordleaks.csv https://misteralfa-hack.blogspot.com/2018/12/stringbleed-y-ahora-que-passwords-leaks.html • CWE-522: Insufficiently Protected Credentials •
CVE-2018-18441
https://notcve.org/view.php?id=CVE-2018-18441
D-Link DCS series Wi-Fi cameras expose sensitive information regarding the device configuration. The affected devices include many of DCS series, such as: DCS-936L, DCS-942L, DCS-8000LH, DCS-942LB1, DCS-5222L, DCS-825L, DCS-2630L, DCS-820L, DCS-855L, DCS-2121, DCS-5222LB1, DCS-5020L, and many more. There are many affected firmware versions starting from 1.00 and above. The configuration file can be accessed remotely through: <Camera-IP>/common/info.cgi, with no authentication. The configuration file include the following fields: model, product, brand, version, build, hw_version, nipca version, device name, location, MAC address, IP address, gateway IP address, wireless status, input/output settings, speaker, and sensor settings. • https://dojo.bullguard.com/dojo-by-bullguard/blog/i-got-my-eyeon-you-security-vulnerabilities-in-baby-monitor • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2018-18767
https://notcve.org/view.php?id=CVE-2018-18767
An issue was discovered in D-Link 'myDlink Baby App' version 2.04.06. Whenever actions are performed from the app (e.g., change camera settings or play lullabies), it communicates directly with the Wi-Fi camera (D-Link 825L firmware 1.08) with the credentials (username and password) in base64 cleartext. An attacker could conduct an MitM attack on the local network and very easily obtain these credentials. Se ha descubierto un problema en la aplicación "myDlink Baby App", de D-Link, en su versión 2.04.06. Cuando se realizan acciones desde la aplicación (como el cambio de las opciones de la cámara o la reproducción de nanas), se comunica directamente con la cámara wifi (D-Link 825L con firmware en versión 1.08) con las credenciales (nombre de usuario y contraseña) en texto claro base64. • https://dojo.bullguard.com/dojo-by-bullguard/blog/i-got-my-eyeon-you-security-vulnerabilities-in-baby-monitor • CWE-326: Inadequate Encryption Strength •