CVSS: 6.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-51629 – D-Link DCS-8300LHV2 ONVIF Hardcoded PIN Authentication Bypass Vulnerability
https://notcve.org/view.php?id=CVE-2023-51629
11 Jan 2024 — D-Link DCS-8300LHV2 ONVIF Hardcoded PIN Authentication Bypass Vulnerability. This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DCS-8300LHV2 IP cameras. Authentication is not required to exploit this vulnerability. The specific flaw exists within the configuration of the ONVIF API. The issue results from the use of a hardcoded PIN. • https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10370 • CWE-259: Use of Hard-coded Password •
CVSS: 10.0EPSS: 1%CPEs: 1EXPL: 0CVE-2023-51631 – D-Link DIR-X3260 prog.cgi SetUsersSettings Stack-based Buffer Overflow Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2023-51631
11 Jan 2024 — D-Link DIR-X3260 prog.cgi SetUsersSettings Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DIR-X3260 routers. Authentication is required to exploit this vulnerability. The specific flaw exists within the prog.cgi binary, which handles HNAP requests made to the lighttpd webserver listening on TCP ports 80 and 443. The issue results from the lack of proper validation of a user-su... • https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10365 • CWE-121: Stack-based Buffer Overflow •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-51625 – D-Link DCS-8300LHV2 ONVIF SetSystemDateAndTime Command Injection Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2023-51625
11 Jan 2024 — D-Link DCS-8300LHV2 ONVIF SetSystemDateAndTime Command Injection Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DCS-8300LHV2 IP cameras. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the implementation of the ONVIF API, which listens on TCP port 80. When parsing the sch:TZ XML element, the process ... • https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10370 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 10.0EPSS: 1%CPEs: 1EXPL: 0CVE-2023-50200 – D-Link G416 cfgsave backusb Command Injection Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2023-50200
20 Dec 2023 — D-Link G416 cfgsave backusb Command Injection Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link G416 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the HTTP service listening on TCP port 80. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. • https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10367 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 8.8EPSS: 1%CPEs: 1EXPL: 0CVE-2023-50203 – D-Link G416 nodered chmod Command Injection Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2023-50203
20 Dec 2023 — D-Link G416 nodered chmod Command Injection Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link G416 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the HTTP service listening on TCP port 80. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. • https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10367 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 10.0EPSS: 1%CPEs: 1EXPL: 0CVE-2023-50215 – D-Link G416 nodered gz File Handling Command Injection Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2023-50215
20 Dec 2023 — D-Link G416 nodered gz File Handling Command Injection Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link G416 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the HTTP service listening on TCP port 80. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. • https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10367 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 10.0EPSS: 1%CPEs: 1EXPL: 0CVE-2023-50216 – D-Link G416 awsfile tar File Handling Command Injection Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2023-50216
20 Dec 2023 — D-Link G416 awsfile tar File Handling Command Injection Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link G416 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the HTTP service listening on TCP port 80. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. • https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10367 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 8.8EPSS: 1%CPEs: 1EXPL: 0CVE-2023-44403 – D-Link DAP-1325 HNAP SetWLanRadioSettings Channel Command Injection Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2023-44403
04 Oct 2023 — D-Link DAP-1325 HNAP SetWLanRadioSettings Channel Command Injection Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DAP-1325 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of a request parameter provided to the HNAP1 SOAP endpoint. The issue results from the lack of proper validation of a user-supplied string before using it to execute a... • https://www.zerodayinitiative.com/advisories/ZDI-23-1501 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 8.8EPSS: 1%CPEs: 1EXPL: 0CVE-2023-44407 – D-Link DAP-1325 SetAPLanSettings Gateway Stack-based Buffer Overflow Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2023-44407
04 Oct 2023 — D-Link DAP-1325 SetAPLanSettings Gateway Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DAP-1325 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of XML data provided to the HNAP1 SOAP endpoint. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fix... • https://www.zerodayinitiative.com/advisories/ZDI-23-1505 • CWE-121: Stack-based Buffer Overflow •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-44410 – D-Link D-View showUsers Improper Authorization Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2023-44410
04 Oct 2023 — D-Link D-View showUsers Improper Authorization Privilege Escalation Vulnerability. This vulnerability allows remote attackers to escalate privileges on affected installations of D-Link D-View. Authentication is required to exploit this vulnerability. The specific flaw exists within the showUsers method. The issue results from the lack of proper authorization before accessing a privileged endpoint. • https://www.zerodayinitiative.com/advisories/ZDI-23-1508 • CWE-285: Improper Authorization •