CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 2CVE-2019-9125
https://notcve.org/view.php?id=CVE-2019-9125
An issue was discovered on D-Link DIR-878 1.12B01 devices. Because strncpy is misused, there is a stack-based buffer overflow vulnerability that does not require authentication via the HNAP_AUTH HTTP header. Se ha descubierto un problema en dispositivos D-Link DIR-878 1.12B01. Debido a que strncpy se emplea de manera incorrecta, hay una vulnerabilidad de desbordamiento de búfer basada en pila que no requiere autenticación mediante la cabecera HNAP_AUTH HTTP. • https://github.com/WhooAmii/whooamii.github.io/blob/master/2018/DIR-878/overflow1.md https://github.com/WhooAmii/whooamii.github.io/blob/master/2018/DIR-878/overflow2.md • CWE-306: Missing Authentication for Critical Function CWE-787: Out-of-bounds Write •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 1CVE-2019-9124
https://notcve.org/view.php?id=CVE-2019-9124
An issue was discovered on D-Link DIR-878 1.12B01 devices. At the /HNAP1 URI, an attacker can log in with a blank password. Se ha descubierto un problema en dispositivos D-Link DIR-878 1.12B01. En el URI /HNAP1, un atacante puede iniciar sesión con una contraseña en blanco. • https://github.com/WhooAmii/whooamii.github.io/blob/master/2018/DIR-878/blankpassword.md • CWE-287: Improper Authentication •
CVSS: 10.0EPSS: 73%CPEs: 2EXPL: 1CVE-2019-7297
https://notcve.org/view.php?id=CVE-2019-7297
An issue was discovered on D-Link DIR-823G devices with firmware through 1.02B03. A command Injection vulnerability allows attackers to execute arbitrary OS commands via shell metacharacters in a crafted /HNAP1 request. This occurs when the GetNetworkTomographyResult function calls the system function with an untrusted input parameter named Address. Consequently, an attacker can execute any command remotely when they control this input. Se ha descubierto un problema en dispositivos D-Link DIR-823G con firmware hasta la versión 1.02B03. • http://www.securityfocus.com/bid/106815 https://github.com/leonW7/D-Link/blob/master/Vul_1.md • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.8EPSS: 1%CPEs: 4EXPL: 1CVE-2018-20389
https://notcve.org/view.php?id=CVE-2018-20389
D-Link DCM-604 DCM604_C1_ViaCabo_1.04_20130606 and DCM-704 EU_DCM-704_1.10 devices allow remote attackers to discover credentials via iso.3.6.1.4.1.4491.2.4.1.1.6.1.1.0 and iso.3.6.1.4.1.4491.2.4.1.1.6.1.2.0 SNMP requests. Los dispositivos D-Link DCM-604 DCM604_C1_ViaCabo_1.04_20130606 y DCM-704 EU_DCM-704_1.10 permiten que atacantes remotos descubran credenciales mediante peticiones SNMP iso.3.6.1.4.1.4491.2.4.1.1.6.1.1.0 e iso.3.6.1.4.1.4491.2.4.1.1.6.1.2.0. • https://github.com/ezelf/sensitivesOids/blob/master/oidpassswordleaks.csv https://misteralfa-hack.blogspot.com/2018/12/stringbleed-y-ahora-que-passwords-leaks.html • CWE-522: Insufficiently Protected Credentials •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 1CVE-2018-18442
https://notcve.org/view.php?id=CVE-2018-18442
D-Link DCS-825L devices with firmware 1.08 do not employ a suitable mechanism to prevent denial-of-service (DoS) attacks. An attacker can harm the device availability (i.e., live-online video/audio streaming) by using the hping3 tool to perform an IPv4 flood attack. Verified attacks includes SYN flooding, UDP flooding, ICMP flooding, and SYN-ACK flooding. Los dispositivos D-Link DCS-825L con firmware en versión 1.08 no emplean un mecanismo adecuado para evitar ataques de denegación de servicio (DoS). Un atacante puede dañar la disponibilidad del dispositivo (como la transmisión de vídeo/audio en directo online) mediante el uso de la herramienta hping3 para realizar un ataque de inundación IPv4. • https://dojo.bullguard.com/dojo-by-bullguard/blog/i-got-my-eyeon-you-security-vulnerabilities-in-baby-monitor •