Filtered by vendor Dlink
Subscribe
Total
719 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2018-17442 | 1 Dlink | 1 Central Wifimanager | 2024-02-04 | 6.5 MEDIUM | 8.8 HIGH |
An issue was discovered on D-Link Central WiFi Manager before v 1.03r0100-Beta1. An unrestricted file upload vulnerability in the onUploadLogPic endpoint allows remote authenticated users to execute arbitrary PHP code. | |||||
CVE-2018-15874 | 1 Dlink | 2 Dir-615, Dir-615 Firmware | 2024-02-04 | 4.3 MEDIUM | 6.1 MEDIUM |
Cross-site scripting (XSS) vulnerability on D-Link DIR-615 routers 20.07 allows an attacker to inject JavaScript into the "Status -> Active Client Table" page via the hostname field in a DHCP request. | |||||
CVE-2019-8313 | 1 Dlink | 2 Dir-878, Dir-878 Firmware | 2024-02-04 | 9.0 HIGH | 8.8 HIGH |
An issue was discovered on D-Link DIR-878 devices with firmware 1.12A1. This issue is a Command Injection allowing a remote attacker to execute arbitrary code, and get a root shell. A command Injection vulnerability allows attackers to execute arbitrary OS commands via a crafted /HNAP1 POST request. This occurs when any HNAP API function triggers a call to the twsystem function with untrusted input from the request body for the SetIPv6FirewallSettings API function, as demonstrated by shell metacharacters in the SrcIPv6AddressRangeStart field. | |||||
CVE-2018-18008 | 1 Dlink | 14 Dir-140l, Dir-140l Firmware, Dir-640l and 11 more | 2024-02-04 | 5.0 MEDIUM | 9.8 CRITICAL |
spaces.htm on multiple D-Link devices (DSL, DIR, DWR) allows remote unauthenticated attackers to discover admin credentials. | |||||
CVE-2018-12710 | 1 Dlink | 2 Dir-601, Dir-601 Firmware | 2024-02-04 | 2.7 LOW | 8.0 HIGH |
An issue was discovered on D-Link DIR-601 2.02NA devices. Being local to the network and having only "User" account (which is a low privilege account) access, an attacker can intercept the response from a POST request to obtain "Admin" rights due to the admin password being displayed in XML. | |||||
CVE-2018-20675 | 1 Dlink | 8 Dir-822, Dir-822-us, Dir-822-us Firmware and 5 more | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
D-Link DIR-822 C1 before v3.11B01Beta, DIR-822-US C1 before v3.11B01Beta, DIR-850L A* before v1.21B08Beta, DIR-850L B* before v2.22B03Beta, and DIR-880L A* before v1.20B02Beta devices allow authentication bypass. | |||||
CVE-2018-20674 | 1 Dlink | 8 Dir-822, Dir-822-us, Dir-822-us Firmware and 5 more | 2024-02-04 | 6.5 MEDIUM | 8.8 HIGH |
D-Link DIR-822 C1 before v3.11B01Beta, DIR-822-US C1 before v3.11B01Beta, DIR-850L A* before v1.21B08Beta, DIR-850L B* before v2.22B03Beta, and DIR-880L A* before v1.20B02Beta devices allow authenticated remote command execution. | |||||
CVE-2019-8392 | 1 Dlink | 2 Dir-823g, Dir-823g Firmware | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
An issue was discovered on D-Link DIR-823G devices with firmware 1.02B03. There is incorrect access control allowing remote attackers to enable Guest Wi-Fi via the SetWLanRadioSettings HNAP API to the web service provided by /bin/goahead. | |||||
CVE-2018-17881 | 2 D-link, Dlink | 2 Dir-823g Firmware, Dir-823g | 2024-02-04 | 5.0 MEDIUM | 9.8 CRITICAL |
On D-Link DIR-823G 2018-09-19 devices, the GoAhead configuration allows /HNAP1 SetPasswdSettings commands without authentication to trigger an admin password change. | |||||
CVE-2018-15839 | 1 Dlink | 2 Dir-615, Dir-615 Firmware | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
D-Link DIR-615 devices have a buffer overflow via a long Authorization HTTP header. | |||||
CVE-2018-14081 | 2 D-link, Dlink | 4 Dir-809 A1 Firmware, Dir-809 A2 Firmware, Dir-809 Guestzone Firmware and 1 more | 2024-02-04 | 5.0 MEDIUM | 9.8 CRITICAL |
An issue was discovered on D-Link DIR-809 A1 through 1.09, A2 through 1.11, and Guest Zone through 1.09 devices. Device passwords, such as the admin password and the WPA key, are stored in cleartext. | |||||
CVE-2018-17066 | 1 Dlink | 2 Dir-816 A2, Dir-816 A2 Firmware | 2024-02-04 | 10.0 HIGH | 9.8 CRITICAL |
An issue was discovered on D-Link DIR-816 A2 1.10 B05 devices. An HTTP request parameter is used in command string construction in the handler function of the /goform/form2systime.cgi route. This could lead to command injection via shell metacharacters in the datetime parameter. | |||||
CVE-2018-10824 | 2 D-link, Dlink | 16 Dwr-921, Dir-140l, Dir-140l Firmware and 13 more | 2024-02-04 | 5.0 MEDIUM | 9.8 CRITICAL |
An issue was discovered on D-Link DWR-116 through 1.06, DIR-140L through 1.02, DIR-640L through 1.02, DWR-512 through 2.02, DWR-712 through 2.02, DWR-912 through 2.02, DWR-921 through 2.02, and DWR-111 through 1.01 devices. The administrative password is stored in plaintext in the /tmp/csman/0 file. An attacker having a directory traversal (or LFI) can easily get full router access. | |||||
CVE-2018-17064 | 1 Dlink | 2 Dir-816 A2, Dir-816 A2 Firmware | 2024-02-04 | 10.0 HIGH | 9.8 CRITICAL |
An issue was discovered on D-Link DIR-816 A2 1.10 B05 devices. An HTTP request parameter is used in command string construction within the handler function of the /goform/sylogapply route. This could lead to command injection via the syslogIp parameter after /goform/clearlog is invoked. | |||||
CVE-2018-17880 | 2 D-link, Dlink | 2 Dir-823g Firmware, Dir-823g | 2024-02-04 | 7.8 HIGH | 7.5 HIGH |
On D-Link DIR-823G 2018-09-19 devices, the GoAhead configuration allows /HNAP1 RunReboot commands without authentication to trigger a reboot. | |||||
CVE-2018-17777 | 1 Dlink | 2 Dva-5592, Dva-5592 Firmware | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
An issue was discovered on D-Link DVA-5592 A1_WI_20180823 devices. If the PIN of the page "/ui/cbpc/login" is the default Parental Control PIN (0000), it is possible to bypass the login form by editing the path of the cookie "sid" generated by the page. The attacker will have access to the router control panel with administrator privileges. | |||||
CVE-2019-9123 | 2 D-link, Dlink | 2 Dir-825 Rev.b Firmware, Dir-825 Rev.b | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
An issue was discovered on D-Link DIR-825 Rev.B 2.10 devices. The "user" account has a blank password. | |||||
CVE-2018-18441 | 2 D-link, Dlink | 36 Dcs-2102 Firmware, Dcs-2121 Firmware, Dcs-2630l Firmware and 33 more | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
D-Link DCS series Wi-Fi cameras expose sensitive information regarding the device configuration. The affected devices include many of DCS series, such as: DCS-936L, DCS-942L, DCS-8000LH, DCS-942LB1, DCS-5222L, DCS-825L, DCS-2630L, DCS-820L, DCS-855L, DCS-2121, DCS-5222LB1, DCS-5020L, and many more. There are many affected firmware versions starting from 1.00 and above. The configuration file can be accessed remotely through: <Camera-IP>/common/info.cgi, with no authentication. The configuration file include the following fields: model, product, brand, version, build, hw_version, nipca version, device name, location, MAC address, IP address, gateway IP address, wireless status, input/output settings, speaker, and sensor settings. | |||||
CVE-2018-18007 | 1 Dlink | 2 Dsl-2770l, Dsl-2770l Firmware | 2024-02-04 | 5.0 MEDIUM | 9.8 CRITICAL |
atbox.htm on D-Link DSL-2770L devices allows remote unauthenticated attackers to discover admin credentials. | |||||
CVE-2018-17065 | 1 Dlink | 2 Dir-816 A2, Dir-816 A2 Firmware | 2024-02-04 | 10.0 HIGH | 9.8 CRITICAL |
An issue was discovered on D-Link DIR-816 A2 1.10 B05 devices. Within the handler function of the /goform/DDNS route, a very long password could lead to a stack-based buffer overflow and overwrite the return address. |