Page 43 of 846 results (0.011 seconds)

CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0

D-Link – G integrated Access Device4 Information Disclosure & Authorization Bypass. *Information Disclosure – file contains a URL with private IP at line 15 "login.asp" A. The window.location.href = http://192.168.1.1/setupWizard.asp" http://192.168.1.1/setupWizard.asp" ; "admin" – contains default username value "login.asp" B. While accessing the web interface, the login form at *Authorization Bypass – URL by "setupWizard.asp' while it blocks direct access to – the web interface does not properly validate user identity variables values located at the client side, it is available to access it without a "login_glag" and "login_status" checking browser and to read the admin user credentials for the web interface. D-Link G integrated Access Device4 Information Disclosure & Authorization Bypass. El archivo Information Disclosure contiene una URL con IP privada en la línea 15 "login.asp" A. • https://www.gov.il/en/Departments/faq/cve_advisories • CWE-863: Incorrect Authorization •

CVSS: 9.9EPSS: 0%CPEs: 2EXPL: 0

DLINK - DSL-224 Post-auth RCE. DLINK router version 3.0.8 has an interface where you can configure NTP servers (Network Time Protocol) via jsonrpc API. It is possible to inject a command through this interface that will run with ROOT permissions on the router. DLINK - DSL-224 Post-auth PCE. El router DLINK tiene una interfaz donde puede configurar servidores NTP (Protocolo de tiempo de red) a través de la API jsonrpc. Es posible inyectar un comando a través de esta interfaz que se ejecutará con permisos ROOT en el router. • https://www.gov.il/en/Departments/faq/cve_advisories • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •

CVSS: 6.8EPSS: 0%CPEs: 4EXPL: 0

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DIR-1935 1.03 routers. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the handling of SetQoSSettings requests to the web management portal. When parsing subelements within the QoSInfo element, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. • https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10310 https://www.zerodayinitiative.com/advisories/ZDI-22-1504 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •

CVSS: 6.8EPSS: 0%CPEs: 4EXPL: 0

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DIR-1935 1.03 routers. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the handling of SetWebFilterSetting requests to the web management portal. When parsing the WebFilterURLs element, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. • https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10310 https://www.zerodayinitiative.com/advisories/ZDI-22-1492 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •

CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 0

This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DIR-1935 1.03 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of HNAP login requests. The issue results from an incorrectly implemented comparison. An attacker can leverage this vulnerability to bypass authentication on the system. • https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10310 https://www.zerodayinitiative.com/advisories/ZDI-22-1503 • CWE-697: Incorrect Comparison •