CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2025-2360 – D-Link DIR-823G UPnP Service HNAP1 SetUpnpSettings improper authorization
https://notcve.org/view.php?id=CVE-2025-2360
17 Mar 2025 — A vulnerability classified as critical was found in D-Link DIR-823G 1.0.2B05_20181207. Affected by this vulnerability is the function SetUpnpSettings of the file /HNAP1/ of the component UPnP Service. The manipulation of the argument SOAPAction leads to improper authorization. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. • https://lavender-bicycle-a5a.notion.site/D-Link-DIR-823G-SetUpnpSettings-1ac53a41781f80d1a290c8d5da3e795e?pvs=4 • CWE-266: Incorrect Privilege Assignment CWE-285: Improper Authorization •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2025-2359 – D-Link DIR-823G DDNS Service HNAP1 SetDDNSSettings improper authorization
https://notcve.org/view.php?id=CVE-2025-2359
17 Mar 2025 — A vulnerability classified as critical has been found in D-Link DIR-823G 1.0.2B05_20181207. Affected is the function SetDDNSSettings of the file /HNAP1/ of the component DDNS Service. The manipulation of the argument SOAPAction leads to improper authorization. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. • https://lavender-bicycle-a5a.notion.site/D-Link-DIR-823G-SetDDNSSettings-1ac53a41781f80d98649dd3cbe106e9b?pvs=4 • CWE-266: Incorrect Privilege Assignment CWE-285: Improper Authorization •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2024-13030 – D-Link DIR-823G Web Management Interface HNAP1 SetVirtualServerSettings access control
https://notcve.org/view.php?id=CVE-2024-13030
30 Dec 2024 — A vulnerability was found in D-Link DIR-823G 1.0.2B05_20181207. It has been rated as critical. This issue affects the function SetAutoRebootSettings/SetClientInfo/SetDMZSettings/SetFirewallSettings/SetParentsControlInfo/SetQoSSettings/SetVirtualServerSettings of the file /HNAP1/ of the component Web Management Interface. The manipulation leads to improper access controls. The attack may be initiated remotely. • https://github.com/abcdefg-png/IoT-vulnerable/blob/main/Unauthorized_Vulnerability/D-Link/DIR-823G/SetAutoRebootSettings.md • CWE-266: Incorrect Privilege Assignment CWE-284: Improper Access Control •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-33345
https://notcve.org/view.php?id=CVE-2024-33345
29 Apr 2024 — D-Link DIR-823G A1V1.0.2B05 was found to contain a Null-pointer dereference in the main function of upload_firmware.cgi, which allows remote attackers to cause a Denial of Service (DoS) via a crafted input. Se descubrió que D-Link DIR-823G A1V1.0.2B05 contenía una desreferencia de puntero nulo en la función principal de upload_firmware.cgi, lo que permite a atacantes remotos provocar una denegación de servicio (DoS) a través de una entrada manipulada. • http://www.dlink.com.cn/techsupport/ProductInfo.aspx?m=DIR-823G • CWE-476: NULL Pointer Dereference •
CVSS: 10.0EPSS: 19%CPEs: 2EXPL: 1CVE-2019-7297
https://notcve.org/view.php?id=CVE-2019-7297
31 Jan 2019 — An issue was discovered on D-Link DIR-823G devices with firmware through 1.02B03. A command Injection vulnerability allows attackers to execute arbitrary OS commands via shell metacharacters in a crafted /HNAP1 request. This occurs when the GetNetworkTomographyResult function calls the system function with an untrusted input parameter named Address. Consequently, an attacker can execute any command remotely when they control this input. Se ha descubierto un problema en dispositivos D-Link DIR-823G con firmw... • http://www.securityfocus.com/bid/106815 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 7.8EPSS: 1%CPEs: 2EXPL: 1CVE-2018-17880
https://notcve.org/view.php?id=CVE-2018-17880
03 Oct 2018 — On D-Link DIR-823G 2018-09-19 devices, the GoAhead configuration allows /HNAP1 RunReboot commands without authentication to trigger a reboot. En dispositivos D-Link DIR-823G 2018-09-19, la configuración GoAhead permite comandos /HNAP1 RunReboot sin autenticación para desencadenar un reinicio. • https://xz.aliyun.com/t/2834#toc-5 • CWE-306: Missing Authentication for Critical Function •
CVSS: 9.8EPSS: 1%CPEs: 2EXPL: 1CVE-2018-17881
https://notcve.org/view.php?id=CVE-2018-17881
03 Oct 2018 — On D-Link DIR-823G 2018-09-19 devices, the GoAhead configuration allows /HNAP1 SetPasswdSettings commands without authentication to trigger an admin password change. En dispositivos D-Link DIR-823G 2018-09-19, la configuración GoAhead permite comandos /HNAP1 SetPasswdSettings sin autenticación para desencadenar un cambio de contraseña de administrador. • https://xz.aliyun.com/t/2834#toc-5 • CWE-640: Weak Password Recovery Mechanism for Forgotten Password •
CVSS: 9.8EPSS: 14%CPEs: 2EXPL: 1CVE-2018-17786
https://notcve.org/view.php?id=CVE-2018-17786
02 Oct 2018 — On D-Link DIR-823G devices, ExportSettings.sh, upload_settings.cgi, GetDownLoadSyslog.sh, and upload_firmware.cgi do not require authentication, which allows remote attackers to execute arbitrary code. En dispositivos D-Link DIR-823G, ExportSettings.sh, upload_settings.cgi, GetDownLoadSyslog.sh y upload_firmware.cgi no requieren autenticación, lo que permite que los atacantes remotos ejecuten código arbitrario. • https://xz.aliyun.com/t/2834 • CWE-287: Improper Authentication •
CVSS: 9.8EPSS: 23%CPEs: 2EXPL: 1CVE-2018-17787
https://notcve.org/view.php?id=CVE-2018-17787
02 Oct 2018 — On D-Link DIR-823G devices, the GoAhead configuration allows /HNAP1 Command Injection via shell metacharacters in the POST data, because this data is sent directly to the "system" library function. En dispositivos D-Link DIR-823G, la configuración GoAhead permite una inyección de comandos /HNAP1 mediante metacaracteres shell en los datos POST. Esto se debe a que los datos se envían directamente a la función de biblioteca "system". • https://xz.aliyun.com/t/2834 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •