// For flags

CVE-2014-7860

 

Severity Score

5.3
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

The web/web_file/fb_publish.php script in D-Link DNS-320L before 1.04b12 and DNS-327L before 1.03b04 Build0119 does not authenticate requests, which allows remote attackers to obtain arbitrary photos and publish them to an arbitrary Facebook profile via a target album_id and access_token.

El script web/web_file/fb_publish.php en D-Link DNS-320L en versiones anteriores a la 1.04b12 y DNS-327L en versiones anteriores a la 1.03b04 Build0119 no autentica peticiones. Esto permite que atacantes remotos obtengan fotografías arbitrarias y las publiquen en un perfil de Facebook arbitrario mediante un album_id y access_token de destino.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2014-10-03 CVE Reserved
  • 2015-05-28 CVE Published
  • 2023-05-08 EPSS Updated
  • 2024-08-06 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
  • CWE-287: Improper Authentication
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
D-link
Search vendor "D-link"
Dns-327l Firmware
Search vendor "D-link" for product "Dns-327l Firmware"
<= 1.02
Search vendor "D-link" for product "Dns-327l Firmware" and version " <= 1.02"
-
Affected
in Dlink
Search vendor "Dlink"
Dns-327l
Search vendor "Dlink" for product "Dns-327l"
--
Safe
D-link
Search vendor "D-link"
Dns-320l Firmware
Search vendor "D-link" for product "Dns-320l Firmware"
<= 1.03b04
Search vendor "D-link" for product "Dns-320l Firmware" and version " <= 1.03b04"
-
Affected
in Dlink
Search vendor "Dlink"
Dns-320l
Search vendor "Dlink" for product "Dns-320l"
--
Safe