CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 1CVE-2023-6580 – D-Link DIR-846 QoS POST deserialization
https://notcve.org/view.php?id=CVE-2023-6580
A vulnerability, which was classified as critical, was found in D-Link DIR-846 FW100A53DBR. This affects an unknown part of the file /HNAP1/ of the component QoS POST Handler. The manipulation of the argument smartqos_express_devices/smartqos_normal_devices leads to deserialization. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. • https://github.com/c2dc/cve-reported/blob/main/CVE-2023-6580/CVE-2023-6580.md https://vuldb.com/?ctiid.247161 https://vuldb.com/?id.247161 • CWE-502: Deserialization of Untrusted Data •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 2CVE-2023-43284
https://notcve.org/view.php?id=CVE-2023-43284
D-Link Wireless MU-MIMO Gigabit AC1200 Router DIR-846 100A53DBR-Retail devices allow an authenticated remote attacker to execute arbitrary code via an unspecified manipulation of the QoS POST parameter. Un problema en la versión de firmware 100A53DBR-Retail del router D-Link Wireless MU-MIMO Gigabit AC1200 Router DIR-846 permite a un atacante remoto ejecutar código arbitrario. • https://github.com/MateusTesser/CVE-2023-43284 https://youtu.be/Y8osw_xU6-0 •
CVSS: 9.8EPSS: 1%CPEs: 2EXPL: 1CVE-2023-33735
https://notcve.org/view.php?id=CVE-2023-33735
D-Link DIR-846 v1.00A52 was discovered to contain a remote command execution (RCE) vulnerability via the tomography_ping_address parameter in the /HNAP1 interface. • https://github.com/Tyaoo/IoT-Vuls/blob/main/dlink/DIR-846/vul.md https://www.dlink.com/en/security-bulletin •
CVSS: 8.8EPSS: 37%CPEs: 2EXPL: 3CVE-2022-46552 – D-Link DIR-846 - Remote Command Execution (RCE) vulnerability
https://notcve.org/view.php?id=CVE-2022-46552
D-Link DIR-846 Firmware FW100A53DBR was discovered to contain a remote command execution (RCE) vulnerability via the lan(0)_dhcps_staticlist parameter. This vulnerability is exploited via a crafted POST request. D-Link DIR-846 suffers from a remote command execution vulnerability. • https://www.exploit-db.com/exploits/51243 http://packetstormsecurity.com/files/171710/D-Link-DIR-846-Remote-Command-Execution.html https://cwe.mitre.org/data/definitions/78.html https://francoataffarel.medium.com/cve-2022-46552-d-link-dir-846-wireless-router-in-firmware-fw100a53dbr-retail-has-a-vulnerability-5b4ca1864c6e https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/SystemExecFunctionsSniff.php https://github.com/c2dc/cve-reported/blob/main/CVE-2022-46552/CVE • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.9EPSS: 0%CPEs: 2EXPL: 1CVE-2022-46642
https://notcve.org/view.php?id=CVE-2022-46642
D-Link DIR-846 A1_FW100A43 was discovered to contain a command injection vulnerability via the auto_upgrade_hour parameter in the SetAutoUpgradeInfo function. • https://github.com/CyberUnicornIoT/IoTvuln/blob/main/d-link/dir-846/D-Link%20dir-846%20SetAutoUpgradeInfo%20command%20injection%20vulnerability.md https://www.dlink.com/en/security-bulletin • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •