CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 1CVE-2019-6258
https://notcve.org/view.php?id=CVE-2019-6258
D-Link DIR-822 Rev.Bx devices with firmware v.202KRb06 and older allow a buffer overflow via long MacAddress data in a /HNAP1/SetClientInfo HNAP protocol message, which is mishandled in /usr/sbin/udhcpd during reading of the /var/servd/LAN-1-udhcpd.conf file. Los dispositivos D-Link DIR-822 Rev.Bx con versión de firmware v.202KRb06 y anteriores, permiten un desbordamiento del búfer por medio de datos largos de MacAddress en un mensaje de protocolo HNAP /HNAP1/SetClientInfo, que es manejado inapropiadamente en /usr/sbin/udhcpd durante la lectura del archivo /var/servd/LAN-1-udhcpd.conf. • https://github.com/pr0v3rbs/CVE/tree/master/CVE-2019-6258 https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10175 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVSS: 8.8EPSS: 0%CPEs: 6EXPL: 0CVE-2020-15633 – D-Link Multiple Routers HNAP GetCAPTCHAsetting Authentication Bypass Vulnerability
https://notcve.org/view.php?id=CVE-2020-15633
This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DIR-867, DIR-878, and DIR-882 routers with firmware 1.20B10_BETA. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of HNAP requests. The issue results from incorrect string matching logic when accessing protected pages. An attacker can leverage this vulnerability to escalate privileges and execute code in the context of the router. • https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10186 https://www.zerodayinitiative.com/advisories/ZDI-20-881 • CWE-288: Authentication Bypass Using an Alternate Path or Channel •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 1CVE-2020-9544
https://notcve.org/view.php?id=CVE-2020-9544
An issue was discovered on D-Link DSL-2640B E1 EU_1.01 devices. The administrative interface doesn't perform authentication checks for a firmware-update POST request. Any attacker that can access the administrative interface can install firmware of their choice. Se detectó un problema en los dispositivos D-Link DSL-2640B E1 versión EU_1.01. La interfaz administrativa no realiza comprobaciones de autenticación para una petición POST de actualización de firmware. • https://ktln2.org/2020/03/05/cve-2020-9544 https://www.dlink.com/en/security-bulletin • CWE-306: Missing Authentication for Critical Function •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2013-6811
https://notcve.org/view.php?id=CVE-2013-6811
Multiple cross-site request forgery (CSRF) vulnerabilities in the D-Link DSL-6740U gateway (Rev. H1) allow remote attackers to hijack the authentication of administrators for requests that change administrator credentials or enable remote management services to (1) Custom Services in Port Forwarding, (2) Port Triggering Entries, (3) URL Filters in Parental Control, (4) Print Server settings, (5) QoS Queue Setup, or (6) QoS Classification Entries. Múltiples vulnerabilidades de tipo cross-site request forgery (CSRF) en el gateway de D-Link DSL-6740U (Rev. H1), permiten a atacantes remotos secuestrar la autenticación de administradores para peticiones que cambian las credenciales de administrador o habilitan servicios de administración remota para (1) Custom Services en Port Forwarding, (2) Port Triggering Entries, (3) URL Filters en Parental Control, (4) configuración Print Server, (5) QoS Queue Setup, o (6) QoS Classification Entries. • https://exchange.xforce.ibmcloud.com/vulnerabilities/89612 https://web.archive.org/web/20131208091355/http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10005 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2019-17663
https://notcve.org/view.php?id=CVE-2019-17663
D-Link DIR-866L 1.03B04 devices allow XSS via HtmlResponseMessage in the device common gateway interface, leading to common injection. Los dispositivos D-Link DIR-866L versión 1.03B04, permiten un ataque de tipo XSS por medio de la función HtmlResponseMessage en la interfaz gateway común del dispositivo, conllevando a una inyección común. • https://fortiguard.com/zeroday/FG-VD-19-116 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •