// For flags

CVE-2017-7852

D-Link DCS Series Cameras - Insecure Crossdomain

Severity Score

8.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

2
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

D-Link DCS cameras have a weak/insecure CrossDomain.XML file that allows sites hosting malicious Flash objects to access and/or change the device's settings via a CSRF attack. This is because of the 'allow-access-from domain' child element set to *, thus accepting requests from any domain. If a victim logged into the camera's web console visits a malicious site hosting a malicious Flash file from another Browser tab, the malicious Flash file then can send requests to the victim's DCS series Camera without knowing the credentials. An attacker can host a malicious Flash file that can retrieve Live Feeds or information from the victim's DCS series Camera, add new admin users, or make other changes to the device. Known affected devices are DCS-933L with firmware before 1.13.05, DCS-5030L, DCS-5020L, DCS-2530L, DCS-2630L, DCS-930L, DCS-932L, and DCS-932LB1.

Las cámaras DCS de D-Link tienen un archivo CrossDomain.XML débil/inseguro que permite a los sitios que alojan objetos Flash maliciosos acceder y/o cambiar la configuración del dispositivo a través de un ataque CSRF. Esto se debe a que el elemento secundario 'allow-access-from domain' se establece en *, aceptando así peticiones de cualquier dominio. Si una víctima conectada a la consola web de la cámara visita un sitio malicioso que aloja un archivo Flash malicioso desde otra pestaña Navegador, el archivo Flash malicioso puede enviar solicitudes a la Camera de la serie DCS de la víctima sin conocer las credenciales. Un atacante puede alojar un archivo Flash malicioso que puede recuperar Live Feeds o información de la Camera de la serie DCS de la víctima, añadir nuevos usuarios de administración o realizar otros cambios en el dispositivo. Los dispositivos afectados conocidos son DCS-933L con firmware en versiones anteriores a 1.13.05, DCS-5030L, DCS-5020L, DCS-2530L, DCS-2630L, DCS-930L, DCS-932L y DCS-932LB1.

D-Link DCS Series cameras implement a weak crossdomain.xml.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Medium
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2017-02-22 First Exploit
  • 2017-04-13 CVE Reserved
  • 2017-04-24 CVE Published
  • 2023-03-07 EPSS Updated
  • 2024-08-05 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-352: Cross-Site Request Forgery (CSRF)
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Dlink
Search vendor "Dlink"
Dcs-2230l Firmware
Search vendor "Dlink" for product "Dcs-2230l Firmware"
<= 1.03.01
Search vendor "Dlink" for product "Dcs-2230l Firmware" and version " <= 1.03.01"
-
Affected
in Dlink
Search vendor "Dlink"
Dcs-2230l
Search vendor "Dlink" for product "Dcs-2230l"
--
Safe
Dlink
Search vendor "Dlink"
Dcs-2310l Firmware
Search vendor "Dlink" for product "Dcs-2310l Firmware"
<= 1.08.01
Search vendor "Dlink" for product "Dcs-2310l Firmware" and version " <= 1.08.01"
-
Affected
in Dlink
Search vendor "Dlink"
Dcs-2310l
Search vendor "Dlink" for product "Dcs-2310l"
--
Safe
Dlink
Search vendor "Dlink"
Dcs-2332l Firmware
Search vendor "Dlink" for product "Dcs-2332l Firmware"
<= 1.08.01
Search vendor "Dlink" for product "Dcs-2332l Firmware" and version " <= 1.08.01"
-
Affected
in Dlink
Search vendor "Dlink"
Dcs-2332l
Search vendor "Dlink" for product "Dcs-2332l"
--
Safe
Dlink
Search vendor "Dlink"
Dcs-6010l Firmware
Search vendor "Dlink" for product "Dcs-6010l Firmware"
<= 1.15.01
Search vendor "Dlink" for product "Dcs-6010l Firmware" and version " <= 1.15.01"
-
Affected
in Dlink
Search vendor "Dlink"
Dcs-6010l
Search vendor "Dlink" for product "Dcs-6010l"
--
Safe
Dlink
Search vendor "Dlink"
Dcs-7010l Firmware
Search vendor "Dlink" for product "Dcs-7010l Firmware"
<= 1.08.01
Search vendor "Dlink" for product "Dcs-7010l Firmware" and version " <= 1.08.01"
-
Affected
in Dlink
Search vendor "Dlink"
Dcs-7010l
Search vendor "Dlink" for product "Dcs-7010l"
--
Safe
Dlink
Search vendor "Dlink"
Dcs-2530l Firmware
Search vendor "Dlink" for product "Dcs-2530l Firmware"
<= 1.00.21
Search vendor "Dlink" for product "Dcs-2530l Firmware" and version " <= 1.00.21"
-
Affected
in Dlink
Search vendor "Dlink"
Dcs-2530l
Search vendor "Dlink" for product "Dcs-2530l"
--
Safe
Dlink
Search vendor "Dlink"
Dcs-930l Firmware
Search vendor "Dlink" for product "Dcs-930l Firmware"
<= 1.15.04
Search vendor "Dlink" for product "Dcs-930l Firmware" and version " <= 1.15.04"
-
Affected
in Dlink
Search vendor "Dlink"
Dcs-930l
Search vendor "Dlink" for product "Dcs-930l"
--
Safe
Dlink
Search vendor "Dlink"
Dcs-930l Firmware
Search vendor "Dlink" for product "Dcs-930l Firmware"
<= 2.13.15
Search vendor "Dlink" for product "Dcs-930l Firmware" and version " <= 2.13.15"
-
Affected
in Dlink
Search vendor "Dlink"
Dcs-930l
Search vendor "Dlink" for product "Dcs-930l"
--
Safe
Dlink
Search vendor "Dlink"
Dcs-932l Firmware
Search vendor "Dlink" for product "Dcs-932l Firmware"
<= 1.13.04
Search vendor "Dlink" for product "Dcs-932l Firmware" and version " <= 1.13.04"
-
Affected
in Dlink
Search vendor "Dlink"
Dcs-932l
Search vendor "Dlink" for product "Dcs-932l"
--
Safe
Dlink
Search vendor "Dlink"
Dcs-932l Firmware
Search vendor "Dlink" for product "Dcs-932l Firmware"
<= 2.13.15
Search vendor "Dlink" for product "Dcs-932l Firmware" and version " <= 2.13.15"
-
Affected
in Dlink
Search vendor "Dlink"
Dcs-932l
Search vendor "Dlink" for product "Dcs-932l"
--
Safe
Dlink
Search vendor "Dlink"
Dcs-934l Firmware
Search vendor "Dlink" for product "Dcs-934l Firmware"
<= 1.04.15
Search vendor "Dlink" for product "Dcs-934l Firmware" and version " <= 1.04.15"
-
Affected
in Dlink
Search vendor "Dlink"
Dcs-934l
Search vendor "Dlink" for product "Dcs-934l"
--
Safe
Dlink
Search vendor "Dlink"
Dcs-942l Firmware
Search vendor "Dlink" for product "Dcs-942l Firmware"
<= 1.27
Search vendor "Dlink" for product "Dcs-942l Firmware" and version " <= 1.27"
-
Affected
in Dlink
Search vendor "Dlink"
Dcs-942l
Search vendor "Dlink" for product "Dcs-942l"
--
Safe
Dlink
Search vendor "Dlink"
Dcs-942l Firmware
Search vendor "Dlink" for product "Dcs-942l Firmware"
<= 2.11.03
Search vendor "Dlink" for product "Dcs-942l Firmware" and version " <= 2.11.03"
-
Affected
in Dlink
Search vendor "Dlink"
Dcs-942l
Search vendor "Dlink" for product "Dcs-942l"
--
Safe
Dlink
Search vendor "Dlink"
Dcs-931l Firmware
Search vendor "Dlink" for product "Dcs-931l Firmware"
<= 1.13.05
Search vendor "Dlink" for product "Dcs-931l Firmware" and version " <= 1.13.05"
-
Affected
in Dlink
Search vendor "Dlink"
Dcs-931l
Search vendor "Dlink" for product "Dcs-931l"
--
Safe
Dlink
Search vendor "Dlink"
Dcs-933l Firmware
Search vendor "Dlink" for product "Dcs-933l Firmware"
<= 1.13.05
Search vendor "Dlink" for product "Dcs-933l Firmware" and version " <= 1.13.05"
-
Affected
in Dlink
Search vendor "Dlink"
Dcs-933l
Search vendor "Dlink" for product "Dcs-933l"
--
Safe
Dlink
Search vendor "Dlink"
Dcs-5009l Firmware
Search vendor "Dlink" for product "Dcs-5009l Firmware"
<= 1.07.05
Search vendor "Dlink" for product "Dcs-5009l Firmware" and version " <= 1.07.05"
-
Affected
in Dlink
Search vendor "Dlink"
Dcs-5009l
Search vendor "Dlink" for product "Dcs-5009l"
--
Safe
Dlink
Search vendor "Dlink"
Dcs-5010l Firmware
Search vendor "Dlink" for product "Dcs-5010l Firmware"
<= 1.13.05
Search vendor "Dlink" for product "Dcs-5010l Firmware" and version " <= 1.13.05"
-
Affected
in Dlink
Search vendor "Dlink"
Dcs-5010l
Search vendor "Dlink" for product "Dcs-5010l"
--
Safe
Dlink
Search vendor "Dlink"
Dcs-5020l Firmware
Search vendor "Dlink" for product "Dcs-5020l Firmware"
<= 1.13.05
Search vendor "Dlink" for product "Dcs-5020l Firmware" and version " <= 1.13.05"
-
Affected
in Dlink
Search vendor "Dlink"
Dcs-5020l
Search vendor "Dlink" for product "Dcs-5020l"
--
Safe
Dlink
Search vendor "Dlink"
Dcs-5000l Firmware
Search vendor "Dlink" for product "Dcs-5000l Firmware"
<= 1.02.02
Search vendor "Dlink" for product "Dcs-5000l Firmware" and version " <= 1.02.02"
-
Affected
in Dlink
Search vendor "Dlink"
Dcs-5000l
Search vendor "Dlink" for product "Dcs-5000l"
--
Safe
Dlink
Search vendor "Dlink"
Dcs-5025l Firmware
Search vendor "Dlink" for product "Dcs-5025l Firmware"
<= 1.02.10
Search vendor "Dlink" for product "Dcs-5025l Firmware" and version " <= 1.02.10"
-
Affected
in Dlink
Search vendor "Dlink"
Dcs-5025l
Search vendor "Dlink" for product "Dcs-5025l"
--
Safe
Dlink
Search vendor "Dlink"
Dcs-5030l Firmware
Search vendor "Dlink" for product "Dcs-5030l Firmware"
<= 1.01.06
Search vendor "Dlink" for product "Dcs-5030l Firmware" and version " <= 1.01.06"
-
Affected
in Dlink
Search vendor "Dlink"
Dcs-5030l
Search vendor "Dlink" for product "Dcs-5030l"
--
Safe
Dlink
Search vendor "Dlink"
Dcs-2210l Firmware
Search vendor "Dlink" for product "Dcs-2210l Firmware"
<= 1.03.01
Search vendor "Dlink" for product "Dcs-2210l Firmware" and version " <= 1.03.01"
-
Affected
in Dlink
Search vendor "Dlink"
Dcs-2210l
Search vendor "Dlink" for product "Dcs-2210l"
--
Safe
Dlink
Search vendor "Dlink"
Dcs-2136l Firmware
Search vendor "Dlink" for product "Dcs-2136l Firmware"
<= 1.04.01
Search vendor "Dlink" for product "Dcs-2136l Firmware" and version " <= 1.04.01"
-
Affected
in Dlink
Search vendor "Dlink"
Dcs-2136l
Search vendor "Dlink" for product "Dcs-2136l"
--
Safe
Dlink
Search vendor "Dlink"
Dcs-2132l Firmware
Search vendor "Dlink" for product "Dcs-2132l Firmware"
<= 1.08.01
Search vendor "Dlink" for product "Dcs-2132l Firmware" and version " <= 1.08.01"
-
Affected
in Dlink
Search vendor "Dlink"
Dcs-2132l
Search vendor "Dlink" for product "Dcs-2132l"
--
Safe
Dlink
Search vendor "Dlink"
Dcs-7000l Firmware
Search vendor "Dlink" for product "Dcs-7000l Firmware"
<= 1.04.00
Search vendor "Dlink" for product "Dcs-7000l Firmware" and version " <= 1.04.00"
-
Affected
in Dlink
Search vendor "Dlink"
Dcs-7000l
Search vendor "Dlink" for product "Dcs-7000l"
--
Safe
Dlink
Search vendor "Dlink"
Dcs-6212l Firmware
Search vendor "Dlink" for product "Dcs-6212l Firmware"
<= 1.00.12
Search vendor "Dlink" for product "Dcs-6212l Firmware" and version " <= 1.00.12"
-
Affected
in Dlink
Search vendor "Dlink"
Dcs-6212l
Search vendor "Dlink" for product "Dcs-6212l"
--
Safe
Dlink
Search vendor "Dlink"
Dcs-5029l Firmware
Search vendor "Dlink" for product "Dcs-5029l Firmware"
<= 1.12.00
Search vendor "Dlink" for product "Dcs-5029l Firmware" and version " <= 1.12.00"
-
Affected
in Dlink
Search vendor "Dlink"
Dcs-5029l
Search vendor "Dlink" for product "Dcs-5029l"
--
Safe
Dlink
Search vendor "Dlink"
Dcs-2310l Firmware
Search vendor "Dlink" for product "Dcs-2310l Firmware"
<= 2.03.00
Search vendor "Dlink" for product "Dcs-2310l Firmware" and version " <= 2.03.00"
-
Affected
in Dlink
Search vendor "Dlink"
Dcs-2310l
Search vendor "Dlink" for product "Dcs-2310l"
--
Safe
Dlink
Search vendor "Dlink"
Dcs-2330l Firmware
Search vendor "Dlink" for product "Dcs-2330l Firmware"
<= 1.13.00
Search vendor "Dlink" for product "Dcs-2330l Firmware" and version " <= 1.13.00"
-
Affected
in Dlink
Search vendor "Dlink"
Dcs-2330l
Search vendor "Dlink" for product "Dcs-2330l"
--
Safe
Dlink
Search vendor "Dlink"
Dcs-2132l Firmware
Search vendor "Dlink" for product "Dcs-2132l Firmware"
<= 2.12.00
Search vendor "Dlink" for product "Dcs-2132l Firmware" and version " <= 2.12.00"
-
Affected
in Dlink
Search vendor "Dlink"
Dcs-2132l
Search vendor "Dlink" for product "Dcs-2132l"
--
Safe
Dlink
Search vendor "Dlink"
Dcs-5222l Firmware
Search vendor "Dlink" for product "Dcs-5222l Firmware"
<= 2.12.00
Search vendor "Dlink" for product "Dcs-5222l Firmware" and version " <= 2.12.00"
-
Affected
in Dlink
Search vendor "Dlink"
Dcs-5222l
Search vendor "Dlink" for product "Dcs-5222l"
--
Safe