CVSS: 8.8EPSS: 4%CPEs: 2EXPL: 1CVE-2020-24579
https://notcve.org/view.php?id=CVE-2020-24579
An issue was discovered on D-Link DSL-2888A devices with firmware prior to AU_2.31_V1.1.47ae55. An unauthenticated attacker could bypass authentication to access authenticated pages and functionality. Se detectó un problema en los dispositivos D-Link DSL-2888A con versiones de firmware anteriores a AU_2.31_V1.1.47ae55. Un atacante no autenticado podría omitir una autenticación para acceder a páginas y funcionalidades autenticadas • https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/d-link-multiple-security-vulnerabilities-leading-to-rce https://www.trustwave.com/en-us/resources/security-resources/security-advisories • CWE-287: Improper Authentication •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 1CVE-2020-24578
https://notcve.org/view.php?id=CVE-2020-24578
An issue was discovered on D-Link DSL-2888A devices with firmware prior to AU_2.31_V1.1.47ae55. It has a misconfigured FTP service that allows a malicious network user to access system folders and download sensitive files (such as the password hash file). Se detectó un problema en los dispositivos D-Link DSL-2888A con versiones de firmware anteriores a AU_2.31_V1.1.47ae55. Presenta un servicio FTP configurado inapropiadamente que permite a un usuario de red malicioso acceder a unas carpetas del sistema y descargar archivos confidenciales (tal y como el archivo de hash de contraseña) • https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/d-link-multiple-security-vulnerabilities-leading-to-rce https://www.trustwave.com/en-us/resources/security-resources/security-advisories • CWE-427: Uncontrolled Search Path Element CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 9.0EPSS: 0%CPEs: 20EXPL: 0CVE-2020-25759
https://notcve.org/view.php?id=CVE-2020-25759
An issue was discovered on D-Link DSR-250 3.17 devices. Certain functionality in the Unified Services Router web interface could allow an authenticated attacker to execute arbitrary commands, due to a lack of validation of inputs provided in multipart HTTP POST requests. Se detectó un problema en los dispositivos D-Link DSR-250 versión 3.17. Determinada funcionalidad en la interfaz web Unified Services Router podría permitir a un atacante autenticado ejecutar comandos arbitrarios, debido a una falta de comprobación de entradas proporcionadas en peticiones HTTP POST de múltiples partes • https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10195 https://www.digitaldefense.com/news/zero-day-vuln-d-link-vpn-routers https://www.dlink.com/en/security-bulletin • CWE-20: Improper Input Validation CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.0EPSS: 0%CPEs: 20EXPL: 0CVE-2020-25758
https://notcve.org/view.php?id=CVE-2020-25758
An issue was discovered on D-Link DSR-250 3.17 devices. Insufficient validation of configuration file checksums could allow a remote, authenticated attacker to inject arbitrary crontab entries into saved configurations before uploading. These entries are executed as root. Se detectó un problema en los dispositivos D-Link DSR-250 versión 3.17. Una comprobación insuficiente de checksums del archivo de configuración, podría permitir a un atacante autenticado remoto inyectar entradas crontab arbitrarias en las configuraciones guardadas antes de cargarlas. • https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10195 https://www.digitaldefense.com/news/zero-day-vuln-d-link-vpn-routers https://www.dlink.com/en/security-bulletin • CWE-354: Improper Validation of Integrity Check Value •
CVSS: 8.8EPSS: 0%CPEs: 20EXPL: 0CVE-2020-25757
https://notcve.org/view.php?id=CVE-2020-25757
A lack of input validation and access controls in Lua CGIs on D-Link DSR VPN routers may result in arbitrary input being passed to system command APIs, resulting in arbitrary command execution with root privileges. This affects DSR-150, DSR-250, DSR-500, and DSR-1000AC with firmware 3.14 and 3.17. Una falta de comprobación de entrada y controles de acceso en Lua CGI en enrutadores D-Link DSR VPN, puede resultar en una entrada arbitraria que es pasada a las API de comando del sistema, resultando en una ejecución de comandos arbitrarios con privilegios root. Esto afecta a DSR-150, DSR-250, DSR-500 y DSR-1000AC con versiones de firmware 3.14 y 3.17 • https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10195 https://www.digitaldefense.com/news/zero-day-vuln-d-link-vpn-routers https://www.dlink.com/en/security-bulletin • CWE-20: Improper Input Validation CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •