CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 1CVE-2017-10676
https://notcve.org/view.php?id=CVE-2017-10676
On D-Link DIR-600M devices before C1_v3.05ENB01_beta_20170306, XSS was found in the form2userconfig.cgi username parameter. En los dispositivos D-Link DIR-600M anteriores a versión C1_v3.05ENB01_beta_20170306, se encontró un problema de tipo XSS en el parámetro username del archivo form2userconfig.cgi. • ftp://ftp2.dlink.com/SECURITY_ADVISEMENTS/DIR-600M/REVC/DIR-600M_REVC_FIRMWARE_PATCH_NOTES_3.05B01_EN.pdf https://iscouncil.blogspot.com/2017/07/stored-xss-in-d-link-dir-600m-router.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 35%CPEs: 2EXPL: 3CVE-2017-9100
https://notcve.org/view.php?id=CVE-2017-9100
login.cgi on D-Link DIR-600M devices with firmware 3.04 allows remote attackers to bypass authentication by entering more than 20 blank spaces in the password field during an admin login attempt. login.cgi en dispositivos D-Link DIR-600M con la versión de firmware 3.04 permite a los atacantes remotos omitir la autenticación mediante la introducción de más de 20 espacios en blanco en el campo de contraseña durante un intento de inicio de sesión con permisos de administrador. • http://touhidshaikh.com/blog/poc/d-link-dir600-auth-bypass https://www.exploit-db.com/exploits/42039 https://www.youtube.com/watch?v=waIJKWCpyNQ • CWE-287: Improper Authentication •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2017-5874
https://notcve.org/view.php?id=CVE-2017-5874
CSRF exists on D-Link DIR-600M Rev. Cx devices before v3.05ENB01_beta_20170306. This can be used to bypass authentication and insert XSS sequences or possibly have unspecified other impact. CSRF existe en los dispositivos D-Link DIR-600M Rev. Cx en versiones anteriores a v3.05ENB01_beta_20170306. • http://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10072 http://www.securityfocus.com/bid/96999 • CWE-352: Cross-Site Request Forgery (CSRF) •