CVE-2014-100005

D-Link DIR-600 Router Cross-Site Request Forgery (CSRF) Vulnerability

Severity Score

8.0

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

Yes

*KEV

Decision

Act

*SSVC

Descriptions

Multiple cross-site request forgery (CSRF) vulnerabilities in D-Link DIR-600 router (rev. Bx) with firmware before 2.17b02 allow remote attackers to hijack the authentication of administrators for requests that (1) create an administrator account or (2) enable remote management via a crafted configuration module to hedwig.cgi, (3) activate new configuration settings via a SETCFG,SAVE,ACTIVATE action to pigwidgeon.cgi, or (4) send a ping via a ping action to diagnostic.php.

Múltiples vulnerabilidades de CSRF en el router D-Link DIR-600 (rev. Bx) con firmware anterior a 2.17b02 permiten a atacantes remotos secuestrar la autenticación de administradores para solicitudes que (1) crean una cuenta de administrador o (2) habilitan la gestión remota a través de un módulo de configuración manipulado en hedwig.cgi, (3) activan nuevos ajustes de configuraciones a través de una acción SETCFG,SAVE,ACTIVATE en pigwidgeon.cgi, o (4) envían un ping a través de una acción ping en diagnostic.php.

D-Link DIR-600 routers contain a cross-site request forgery (CSRF) vulnerability that allows an attacker to change router configurations by hijacking an existing administrator session.

*Credits: N/A

Attack Vector

Adjacent

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:Act

Exploitation

Active

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2015-01-13 CVE Reserved
2015-01-13 CVE Published
2024-05-16 Exploited in Wild
2024-06-06 KEV Due Date
2024-08-06 CVE Updated
2024-08-06 First Exploit
2024-08-25 EPSS Updated

CWE

CWE-352: Cross-Site Request Forgery (CSRF)

CAPEC

References (4)

URL	Tag	Source
http://secunia.com/advisories/57304	Broken Link
https://exchange.xforce.ibmcloud.com/vulnerabilities/91794	Third Party Advisory

URL	Date	SRC
http://resources.infosecinstitute.com/csrf-unauthorized-remote-admin-access	2024-08-06

URL	Date	SRC
http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10018	2024-05-18

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Dlink Search vendor "Dlink"	Dir-600 Firmware Search vendor "Dlink" for product "Dir-600 Firmware"	<= 2.16ww Search vendor "Dlink" for product "Dir-600 Firmware" and version " <= 2.16ww"	-	Affected	in	Dlink Search vendor "Dlink"	Dir-600 Search vendor "Dlink" for product "Dir-600"	-	-	Affected