CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 1CVE-2021-33259
https://notcve.org/view.php?id=CVE-2021-33259
Several web interfaces in D-Link DIR-868LW 1.12b have no authentication requirements for access, allowing for attackers to obtain users' DNS query history. Varias interfaces web en D-Link DIR-868LW versión 1.12b, no tienen requisitos de autenticación para el acceso, lo que permite a atacantes obtener el historial de consultas de DNS de los usuarios • http://d-link.com http://dir-868lw.com https://github.com/jayus0821/uai-poc/blob/main/D-Link/DIR-868L/webaccess_UAI.md https://www.dlink.com/en/security-bulletin • CWE-306: Missing Authentication for Critical Function •
CVSS: 8.0EPSS: 0%CPEs: 4EXPL: 0CVE-2021-41503
https://notcve.org/view.php?id=CVE-2021-41503
DCS-5000L v1.05 and DCS-932L v2.17 and older are affecged by Incorrect Acess Control. The use of the basic authentication for the devices command interface allows attack vectors that may compromise the cameras configuration and allow malicious users on the LAN to access the device. NOTE: This vulnerability only affects products that are no longer supported by the maintainer DCS-5000L versión v1.05 y DCS-932L versión v2.17 y anteriores, están afectados por un Control de Acceso Incorrecto. El uso de la autenticación básica para la interfaz de comandos de los dispositivos permite vectores de ataque que pueden comprometer la configuración de las cámaras y permitir que usuarios maliciosos en la LAN accedan al dispositivo. NOTA: Esta vulnerabilidad sólo afecta a los productos que ya no son soportados por el mantenedor. • https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10247 https://www.dlink.com/en/security-bulletin • CWE-287: Improper Authentication •
CVSS: 10.0EPSS: 12%CPEs: 2EXPL: 1CVE-2021-26709 – D-Link DSL-320B-D1 Pre-Authentication Buffer Overflow
https://notcve.org/view.php?id=CVE-2021-26709
D-Link DSL-320B-D1 devices through EU_1.25 are prone to multiple Stack-Based Buffer Overflows that allow unauthenticated remote attackers to take over a device via the login.xgi user and pass parameters. NOTE: This vulnerability only affects products that are no longer supported by the maintainer Los dispositivos D-Link DSL-320B-D1 versiones hasta EU_1.25, son propensos a múltiples desbordamientos de búfer en la región stack de la memoria que permiten a atacantes remotos no autenticados tomar el control de un dispositivo por medio del usuario login.xgi y parámetros pass. NOTA: Esta vulnerabilidad solo afecta a productos que ya no son soportados por el mantenedor The D-Link DSL-320B-D1 ADSL modem suffers from multiple pre-authentication stack buffer overflow vulnerabilities. • http://packetstormsecurity.com/files/162133/D-Link-DSL-320B-D1-Pre-Authentication-Buffer-Overflow.html http://seclists.org/fulldisclosure/2021/Apr/15 https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10216 https://www.dlink.com/en/security-bulletin • CWE-787: Out-of-bounds Write •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 1CVE-2019-6258
https://notcve.org/view.php?id=CVE-2019-6258
D-Link DIR-822 Rev.Bx devices with firmware v.202KRb06 and older allow a buffer overflow via long MacAddress data in a /HNAP1/SetClientInfo HNAP protocol message, which is mishandled in /usr/sbin/udhcpd during reading of the /var/servd/LAN-1-udhcpd.conf file. Los dispositivos D-Link DIR-822 Rev.Bx con versión de firmware v.202KRb06 y anteriores, permiten un desbordamiento del búfer por medio de datos largos de MacAddress en un mensaje de protocolo HNAP /HNAP1/SetClientInfo, que es manejado inapropiadamente en /usr/sbin/udhcpd durante la lectura del archivo /var/servd/LAN-1-udhcpd.conf. • https://github.com/pr0v3rbs/CVE/tree/master/CVE-2019-6258 https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10175 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVSS: 8.8EPSS: 0%CPEs: 6EXPL: 0CVE-2020-15633 – D-Link Multiple Routers HNAP GetCAPTCHAsetting Authentication Bypass Vulnerability
https://notcve.org/view.php?id=CVE-2020-15633
This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DIR-867, DIR-878, and DIR-882 routers with firmware 1.20B10_BETA. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of HNAP requests. The issue results from incorrect string matching logic when accessing protected pages. An attacker can leverage this vulnerability to escalate privileges and execute code in the context of the router. • https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10186 https://www.zerodayinitiative.com/advisories/ZDI-20-881 • CWE-288: Authentication Bypass Using an Alternate Path or Channel •