CVE-2015-7246 – D-Link DVGN5402SP - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2015-7246
D-Link DVG-N5402SP with firmware W1000CN-00, W1000CN-03, or W2000EN-00 has a default password of root for the root account and tw for the tw account, which makes it easier for remote attackers to obtain administrative access. DLink DVGN5402SP con firmware W1000CN00, W1000CN03 o W2000EN00 tiene una contraseña predeterminada de root para la cuenta root y tw para la cuenta tw, lo que hace más fácil a atacantes remotos obtener acceso administrativo. D-Link DVG-N5402SP suffers from path traversal, weak credential management, and information leakage vulnerabilities. • https://www.exploit-db.com/exploits/39409 http://packetstormsecurity.com/files/135590/D-Link-DVG-N5402SP-Path-Traversal-Information-Disclosure.html http://seclists.org/fulldisclosure/2016/Feb/24 • CWE-798: Use of Hard-coded Credentials •
CVE-2015-7247 – D-Link DVGN5402SP - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2015-7247
D-Link DVG-N5402SP with firmware W1000CN-00, W1000CN-03, or W2000EN-00 discloses usernames, passwords, keys, values, and web account hashes (super and admin) in plaintext when running a configuration backup, which allows remote attackers to obtain sensitive information. DLink DVGN5402SP con firmware W1000CN00, W1000CN03 o W2000EN00 revela nombres de usuario, contraseñas, claves, valores y hashes de cuentas web (super y admin) en texto plano al ejecutar una copia de seguridad de configuración, lo que permite a atacantes remotos obtener información sensible. D-Link DVG-N5402SP suffers from path traversal, weak credential management, and information leakage vulnerabilities. • https://www.exploit-db.com/exploits/39409 http://packetstormsecurity.com/files/135590/D-Link-DVG-N5402SP-Path-Traversal-Information-Disclosure.html http://seclists.org/fulldisclosure/2016/Feb/24 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2014-7858
https://notcve.org/view.php?id=CVE-2014-7858
The check_login function in D-Link DNR-326 before 2.10 build 03 allows remote attackers to bypass authentication and log in by setting the username cookie parameter to an arbitrary string. La función check_login en D-Link DNR-326 en versiones anteriores a la 2.10 build 03 permite que atacantes remotos omitan la autenticación e inicien sesión estableciendo el parámetro username cookie en una cadena arbitraria. • http://packetstormsecurity.com/files/132075/D-Link-Bypass-Buffer-Overflow.html http://seclists.org/fulldisclosure/2015/May/125 http://www.search-lab.hu/media/D-Link_Security_advisory_3_0_public.pdf http://www.securityfocus.com/archive/1/535626/100/200/threaded http://www.securityfocus.com/bid/74886 • CWE-287: Improper Authentication •
CVE-2014-7859
https://notcve.org/view.php?id=CVE-2014-7859
Stack-based buffer overflow in login_mgr.cgi in D-Link firmware DNR-320L and DNS-320LW before 1.04b08, DNR-322L before 2.10 build 03, DNR-326 before 2.10 build 03, and DNS-327L before 1.04b01 allows remote attackers to execute arbitrary code by crafting malformed "Host" and "Referer" header values. Un desbordamiento de búfer basado en pila en login_mgr.cgi en D-Link firmware DNR-320L y DNS-320LW en versiones anteriores a la 1.04b08, DNR-322L en versiones anteriores a la 2.10 build 03, DNR-326 en versiones anteriores a la 2.10 build 03, y DNS-327L en versiones anteriores a la 1.04b01 permite que atacantes remotos ejecuten código arbitrario mediante la manipulación de valores de cabecera "Host" y "Referer" con formato incorrecto. • http://packetstormsecurity.com/files/132075/D-Link-Bypass-Buffer-Overflow.html http://seclists.org/fulldisclosure/2015/May/125 http://www.search-lab.hu/media/D-Link_Security_advisory_3_0_public.pdf http://www.securityfocus.com/archive/1/535626/100/200/threaded http://www.securityfocus.com/bid/74878 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVE-2014-7860
https://notcve.org/view.php?id=CVE-2014-7860
The web/web_file/fb_publish.php script in D-Link DNS-320L before 1.04b12 and DNS-327L before 1.03b04 Build0119 does not authenticate requests, which allows remote attackers to obtain arbitrary photos and publish them to an arbitrary Facebook profile via a target album_id and access_token. El script web/web_file/fb_publish.php en D-Link DNS-320L en versiones anteriores a la 1.04b12 y DNS-327L en versiones anteriores a la 1.03b04 Build0119 no autentica peticiones. Esto permite que atacantes remotos obtengan fotografías arbitrarias y las publiquen en un perfil de Facebook arbitrario mediante un album_id y access_token de destino. • http://packetstormsecurity.com/files/132075/D-Link-Bypass-Buffer-Overflow.html http://seclists.org/fulldisclosure/2015/May/125 http://www.search-lab.hu/media/D-Link_Security_advisory_3_0_public.pdf http://www.securityfocus.com/archive/1/535626/100/200/threaded http://www.securityfocus.com/bid/74884 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-287: Improper Authentication •