CVSS: 6.1EPSS: 0%CPEs: 13EXPL: 1CVE-2020-25786
https://notcve.org/view.php?id=CVE-2020-25786
19 Sep 2020 — webinc/js/info.php on D-Link DIR-816L 2.06.B09_BETA and DIR-803 1.04.B02 devices allows XSS via the HTTP Referer header. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: this is typically not exploitable because of URL encoding (except in Internet Explorer) and because a web page cannot specify that a client should make an additional HTTP request with an arbitrary Referer header El archivo webinc/js/info.php en dispositivos D-Link DIR-816L versión 2.06.B09... • https://github.com/sek1th/iot/blob/master/DIR-816L_XSS.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 83%CPEs: 3EXPL: 1CVE-2020-15893
https://notcve.org/view.php?id=CVE-2020-15893
22 Jul 2020 — An issue was discovered on D-Link DIR-816L devices 2.x before 1.10b04Beta02. Universal Plug and Play (UPnP) is enabled by default on port 1900. An attacker can perform command injection by injecting a payload into the Search Target (ST) field of the SSDP M-SEARCH discover packet. Se detectó un problema en los dispositivos D-Link DIR-816L versiones 2.x anteriores a 1.10b04Beta02. Universal Plug and Play (UPnP) está habilitado por defecto en el puerto 1900. • https://research.loginsoft.com/bugs/multiple-vulnerabilities-discovered-in-the-d-link-firmware-dir-816l • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 7.5EPSS: 1%CPEs: 3EXPL: 0CVE-2020-15894
https://notcve.org/view.php?id=CVE-2020-15894
22 Jul 2020 — An issue was discovered on D-Link DIR-816L devices 2.x before 1.10b04Beta02. There exists an exposed administration function in getcfg.php, which can be used to call various services. It can be utilized by an attacker to retrieve various sensitive information, such as admin login credentials, by setting the value of _POST_SERVICES in the query string to DEVICE.ACCOUNT. Se detectó un problema en los dispositivos D-Link DIR-816L versiones 2.x anteriores a 1.10b04Beta02. Se presenta una función de administraci... • https://research.loginsoft.com/bugs/multiple-vulnerabilities-discovered-in-the-d-link-firmware-dir-816l • CWE-306: Missing Authentication for Critical Function •
CVSS: 6.1EPSS: 35%CPEs: 3EXPL: 1CVE-2020-15895
https://notcve.org/view.php?id=CVE-2020-15895
22 Jul 2020 — An XSS issue was discovered on D-Link DIR-816L devices 2.x before 1.10b04Beta02. In the file webinc/js/info.php, no output filtration is applied to the RESULT parameter, before it's printed on the webpage. Se detectó un problema de tipo XSS en los dispositivos D-Link DIR-816L versiones 2.x anteriores a 1.10b04Beta02. En el archivo webinc/js/info.php, ninguna filtración de salida es aplicada al parámetro RESULT, antes de que se imprima en la página web • https://research.loginsoft.com/bugs/multiple-vulnerabilities-discovered-in-the-d-link-firmware-dir-816l • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 10%CPEs: 10EXPL: 2CVE-2019-7642
https://notcve.org/view.php?id=CVE-2019-7642
25 Mar 2019 — D-Link routers with the mydlink feature have some web interfaces without authentication requirements. An attacker can remotely obtain users' DNS query logs and login logs. Vulnerable targets include but are not limited to the latest firmware versions of DIR-817LW (A1-1.04), DIR-816L (B1-2.06), DIR-816 (B1-2.06?), DIR-850L (A1-1.09), and DIR-868L (A1-1.10). Los routers D-Link con la funcionalidad mydlink presentan algunas interfaces web sin requerimientos de autenticación. • https://github.com/xw77cve/CVE-2019-7642 • CWE-306: Missing Authentication for Critical Function •