CVSS: 10.0EPSS: 0%CPEs: 14EXPL: 1CVE-2019-18852
https://notcve.org/view.php?id=CVE-2019-18852
Certain D-Link devices have a hardcoded Alphanetworks user account with TELNET access because of /etc/config/image_sign or /etc/alpha_config/image_sign. This affects DIR-600 B1 V2.01 for WW, DIR-890L A1 v1.03, DIR-615 J1 v100 (for DCN), DIR-645 A1 v1.03, DIR-815 A1 v1.01, DIR-823 A1 v1.01, and DIR-842 C1 v3.00. Determinados dispositivos D-Link, poseen una cuenta de usuario de Alphanetworks embebida con acceso de TELNET debido a etc/config/image_sign o /etc/alpha_config/image_sign. Esto afecta a DIR-600 B1 versión V2.01 para WW, DIR-890L A1 versión v1.03, DIR-615 J1 versión v100 (para DCN), DIR-645 A1 versión v1.03, DIR-815 A1 versión v1.01, DIR-823 A1 versión v1.01 y DIR-842 C1 versión v3.00. • https://github.com/ChandlerChin/Dlink_vuls/blob/master/A%20hard%20coded%20telnet%20user%20was%20discovered%20in%20multiple%20Dlink%20routers.pdf • CWE-319: Cleartext Transmission of Sensitive Information •
CVSS: 9.8EPSS: 0%CPEs: 12EXPL: 1CVE-2017-14948
https://notcve.org/view.php?id=CVE-2017-14948
Certain D-Link products are affected by: Buffer Overflow. This affects DIR-880L 1.08B04 and DIR-895 L/R 1.13b03. The impact is: execute arbitrary code (remote). The component is: htdocs/fileaccess.cgi. The attack vector is: A crafted HTTP request handled by fileacces.cgi could allow an attacker to mount a ROP attack: if the HTTP header field CONTENT_TYPE starts with ''boundary=' followed by more than 256 characters, a buffer overflow would be triggered, potentially causing code execution. • https://github.com/badnack/d_link_880_bug/blob/master/README.md • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVSS: 10.0EPSS: 58%CPEs: 13EXPL: 1CVE-2018-19987
https://notcve.org/view.php?id=CVE-2018-19987
D-Link DIR-822 Rev.B 202KRb06, DIR-822 Rev.C 3.10B06, DIR-860L Rev.B 2.03.B03, DIR-868L Rev.B 2.05B02, DIR-880L Rev.A 1.20B01_01_i3se_BETA, and DIR-890L Rev.A 1.21B02_BETA devices mishandle IsAccessPoint in /HNAP1/SetAccessPointMode. In the SetAccessPointMode.php source code, the IsAccessPoint parameter is saved in the ShellPath script file without any regex checking. After the script file is executed, the command injection occurs. A vulnerable /HNAP1/SetAccessPointMode XML message could have shell metacharacters in the IsAccessPoint element such as the `telnetd` string. Se descubrió un problema en los dispositivos de D-Link DIR-822 Rev.B 202KRb06, DIR-822 Rev.C 3.10B06, DIR-860L Rev.B 2.03.B03, DIR-868L Rev.B 2.05B02, DIR-880L Rev.A 1.20B01_01_i3se_BETA, and DIR-890L Rev.A 1.21B02_BETA, manejan incorrectamente el parámetro IsAccessPoint en el archivo /HNAP1/SetAccessPointMode. • https://github.com/pr0v3rbs/CVE/tree/master/CVE-2018-19986%20-%2019990 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 6.5EPSS: 0%CPEs: 6EXPL: 0CVE-2018-12103
https://notcve.org/view.php?id=CVE-2018-12103
An issue was discovered on D-Link DIR-890L with firmware 1.21B02beta01 and earlier, DIR-885L/R with firmware 1.21B03beta01 and earlier, and DIR-895L/R with firmware 1.21B04beta04 and earlier devices (all hardware revisions). Due to the predictability of the /docs/captcha_(number).jpeg URI, being local to the network, but unauthenticated to the administrator's panel, an attacker can disclose the CAPTCHAs used by the access point and can elect to load the CAPTCHA of their choosing, leading to unauthorized login attempts to the access point. Se ha detectado un fallo en D-Link DIR-890L, con versiones de firmware 1.21B02beta01 y anteriores, en DIR-885L/R, con versiones de firmware 1.21B03beta01 y anteriores, y en DIR-895L/R, con versiones de firmware 1.21B04beta04 y anteriores (en todas las revisiones de hardware). Debido a la previsibilidad del URI /docs/captcha_(number).jpeg, siendo ésta local a la red pero autenticada en el panel de administrador, un atacante puede divulgar los CAPTCHA utilizados por el punto de acceso y puede elegir que se cargue el CAPTCHA de su elección. Esto conduce a intentos de inicio de sesión no autorizados a dicho punto de acceso. • http://seclists.org/fulldisclosure/2018/Jul/13 https://securityadvisories.dlink.com/announcement/publication.aspx?name=SAP10099 • CWE-863: Incorrect Authorization •
CVSS: 10.0EPSS: 96%CPEs: 18EXPL: 3CVE-2016-6563 – D-Link DIR routers contain a stack-based buffer overflow in the HNAP Login action
https://notcve.org/view.php?id=CVE-2016-6563
Processing malformed SOAP messages when performing the HNAP Login action causes a buffer overflow in the stack in some D-Link DIR routers. The vulnerable XML fields within the SOAP body are: Action, Username, LoginPassword, and Captcha. The following products are affected: DIR-823, DIR-822, DIR-818L(W), DIR-895L, DIR-890L, DIR-885L, DIR-880L, DIR-868L, and DIR-850L. El procesamiento de mensajes SOAP mal formados al realizar la acción de inicio de sesión HNAP provoca un desbordamiento de búfer en la pila en algunos routers D-Link DIR. Los campos XML vulnerables en el cuerpo SOAP son: Action, Username, LoginPassword y Captcha. • https://www.exploit-db.com/exploits/40805 http://seclists.org/fulldisclosure/2016/Nov/38 http://www.securityfocus.com/bid/94130 https://www.kb.cert.org/vuls/id/677427 https://raw.githubusercontent.com/pedrib/PoC/master/advisories/dlink-hnap-login.txt https://seclists.org/fulldisclosure/2016/Nov/38 https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/dlink_hnap_login_bof.rb • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-121: Stack-based Buffer Overflow •