CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 1CVE-2017-14417
https://notcve.org/view.php?id=CVE-2017-14417
13 Sep 2017 — register_send.php on D-Link DIR-850L REV. B (with firmware through FW208WWb02) devices does not require authentication, which can result in unintended enrollment in mydlink Cloud Services. register_send.php en dispositivos D-Link DIR-850L REV. B (con firmware hasta la versión FW208WWb02) no requiere autenticación, lo que puede resultar en una inscripción involuntaria en mydlink Cloud Services. • https://pierrekim.github.io/blog/2017-09-08-dlink-850l-mydlink-cloud-0days-vulnerabilities.html • CWE-306: Missing Authentication for Critical Function •
CVSS: 10.0EPSS: 1%CPEs: 5EXPL: 1CVE-2017-14429
https://notcve.org/view.php?id=CVE-2017-14429
13 Sep 2017 — The DHCP client on D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) and REV. B (with firmware through FW208WWb02) devices allows unauthenticated remote code execution as root because /etc/services/INET/inet_ipv4.php mishandles shell metacharacters, affecting generated files such as WAN-1-udhcpc.sh. El cliente DHCP en dispositivos D-Link DIR-850L REV. A (con firmware hasta la versión FW114WWb07_h2ab_beta1) y REV. • https://pierrekim.github.io/blog/2017-09-08-dlink-850l-mydlink-cloud-0days-vulnerabilities.html • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 1CVE-2017-14425
https://notcve.org/view.php?id=CVE-2017-14425
13 Sep 2017 — D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) and REV. B (with firmware through FW208WWb02) devices have 0666 /var/etc/hnapasswd permissions. Los dispositivos D-Link DIR-850L REV. A (con firmware hasta la versión FW114WWb07_h2ab_beta1) y REV. • https://pierrekim.github.io/blog/2017-09-08-dlink-850l-mydlink-cloud-0days-vulnerabilities.html • CWE-276: Incorrect Default Permissions •
CVSS: 8.1EPSS: 0%CPEs: 2EXPL: 1CVE-2017-14418
https://notcve.org/view.php?id=CVE-2017-14418
13 Sep 2017 — The D-Link NPAPI extension, as used in conjunction with D-Link DIR-850L REV. B (with firmware through FW208WWb02) devices, sends the cleartext admin password over the Internet as part of interaction with mydlink Cloud Services. La extensión D-Link NPAPI, tal y como se emplea conjuntamente con dispositivos D-Link DIR-850L REV. B (con firmware hasta la versión FW208WWb02) envía la contraseña de administrador en texto claro a través de Internet como parte de la interacción con mydlink Cloud Services. • https://pierrekim.github.io/blog/2017-09-08-dlink-850l-mydlink-cloud-0days-vulnerabilities.html • CWE-522: Insufficiently Protected Credentials •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 1CVE-2017-14428
https://notcve.org/view.php?id=CVE-2017-14428
13 Sep 2017 — D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) and REV. B (with firmware through FW208WWb02) devices have 0666 /var/run/hostapd* permissions. Los dispositivos D-Link DIR-850L REV. A (con firmware hasta la versión FW114WWb07_h2ab_beta1) y REV. • https://pierrekim.github.io/blog/2017-09-08-dlink-850l-mydlink-cloud-0days-vulnerabilities.html • CWE-798: Use of Hard-coded Credentials •
CVSS: 5.9EPSS: 0%CPEs: 5EXPL: 1CVE-2017-14419
https://notcve.org/view.php?id=CVE-2017-14419
13 Sep 2017 — The D-Link NPAPI extension, as used on D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) and REV. B (with firmware through FW208WWb02) devices, participates in mydlink Cloud Services by establishing a TCP relay service for HTTP, even though a TCP relay service for HTTPS is also established. La extensión D-Link NPAPI, tal y como se emplea conjuntamente con dispositivos D-Link DIR-850L REV. A (con firmware hasta la versión FW114WWb07_h2ab_beta1) y REV. • https://pierrekim.github.io/blog/2017-09-08-dlink-850l-mydlink-cloud-0days-vulnerabilities.html • CWE-295: Improper Certificate Validation •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 1CVE-2017-14426
https://notcve.org/view.php?id=CVE-2017-14426
13 Sep 2017 — D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) and REV. B (with firmware through FW208WWb02) devices have 0644 /var/etc/shadow (aka the /etc/shadow symlink target) permissions. Los dispositivos D-Link DIR-850L REV. A (con firmware hasta la versión FW114WWb07_h2ab_beta1) y REV. • https://pierrekim.github.io/blog/2017-09-08-dlink-850l-mydlink-cloud-0days-vulnerabilities.html • CWE-798: Use of Hard-coded Credentials •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 1CVE-2017-14414
https://notcve.org/view.php?id=CVE-2017-14414
13 Sep 2017 — D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) devices have XSS in the action parameter to htdocs/web/shareport.php. Los dispositivos D-Link DIR-850L REV. A con versiones de firmware hasta FW114WWb07_h2ab_beta1 tienen una vulnerabilidad de Cross-Site Scripting (XSS) en el parámetro action en htdocs/web/shareport.php. • https://pierrekim.github.io/blog/2017-09-08-dlink-850l-mydlink-cloud-0days-vulnerabilities.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 1CVE-2017-14424
https://notcve.org/view.php?id=CVE-2017-14424
13 Sep 2017 — D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) and REV. B (with firmware through FW208WWb02) devices have 0666 /var/passwd permissions. Los dispositivos D-Link DIR-850L REV. A (con firmware hasta la versión FW114WWb07_h2ab_beta1) y REV. • https://pierrekim.github.io/blog/2017-09-08-dlink-850l-mydlink-cloud-0days-vulnerabilities.html • CWE-276: Incorrect Default Permissions •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 1CVE-2017-14415
https://notcve.org/view.php?id=CVE-2017-14415
13 Sep 2017 — D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) devices have XSS in the action parameter to htdocs/web/sitesurvey.php. Los dispositivos D-Link DIR-850L REV. A con versiones de firmware hasta FW114WWb07_h2ab_beta1 tienen una vulnerabilidad de Cross-Site Scripting (XSS) en el parámetro action para htdocs/web/sitesurvey.php. • https://pierrekim.github.io/blog/2017-09-08-dlink-850l-mydlink-cloud-0days-vulnerabilities.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •