Dir 850l Firmware
Sign in to watchby Dlink
CVEs (18)
| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2017-14429 | Cri | 0.64 | 9.8 | 0.03 | Sep 13, 2017 | The DHCP client on D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) and REV. B (with firmware through FW208WWb02) devices allows unauthenticated remote code execution as root because /etc/services/INET/inet_ipv4.php mishandles shell metacharacters, affecting generated files such as WAN-1-udhcpc.sh. | |
| CVE-2017-14421 | Cri | 0.64 | 9.8 | 0.05 | Sep 13, 2017 | D-Link DIR-850L REV. B (with firmware through FW208WWb02) devices have a hardcoded password of wrgac25_dlink.2013gui_dir850l for the Alphanetworks account upon device reset, which allows remote attackers to obtain root access via a TELNET session. | |
| CVE-2017-14417 | Cri | 0.64 | 9.8 | 0.01 | Sep 13, 2017 | register_send.php on D-Link DIR-850L REV. B (with firmware through FW208WWb02) devices does not require authentication, which can result in unintended enrollment in mydlink Cloud Services. | |
| CVE-2017-14418 | Hig | 0.53 | 8.1 | 0.01 | Sep 13, 2017 | The D-Link NPAPI extension, as used in conjunction with D-Link DIR-850L REV. B (with firmware through FW208WWb02) devices, sends the cleartext admin password over the Internet as part of interaction with mydlink Cloud Services. | |
| CVE-2017-14428 | Hig | 0.51 | 7.8 | 0.00 | Sep 13, 2017 | D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) and REV. B (with firmware through FW208WWb02) devices have 0666 /var/run/hostapd* permissions. | |
| CVE-2017-14427 | Hig | 0.51 | 7.8 | 0.00 | Sep 13, 2017 | D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) and REV. B (with firmware through FW208WWb02) devices have 0666 /var/run/storage_account_root permissions. | |
| CVE-2017-14426 | Hig | 0.51 | 7.8 | 0.00 | Sep 13, 2017 | D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) and REV. B (with firmware through FW208WWb02) devices have 0644 /var/etc/shadow (aka the /etc/shadow symlink target) permissions. | |
| CVE-2017-14425 | Hig | 0.51 | 7.8 | 0.00 | Sep 13, 2017 | D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) and REV. B (with firmware through FW208WWb02) devices have 0666 /var/etc/hnapasswd permissions. | |
| CVE-2017-14424 | Hig | 0.51 | 7.8 | 0.00 | Sep 13, 2017 | D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) and REV. B (with firmware through FW208WWb02) devices have 0666 /var/passwd permissions. | |
| CVE-2017-14430 | Hig | 0.49 | 7.5 | 0.01 | Sep 13, 2017 | D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) and REV. B (with firmware through FW208WWb02) devices allow remote attackers to cause a denial of service (daemon crash) via crafted LAN traffic. | |
| CVE-2017-14423 | Hig | 0.49 | 7.5 | 0.00 | Sep 13, 2017 | htdocs/parentalcontrols/bind.php on D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) devices does not prevent unauthenticated nonce-guessing attacks, which makes it easier for remote attackers to change the DNS configuration via a series of requests. | |
| CVE-2017-14422 | Hig | 0.49 | 7.5 | 0.00 | Sep 13, 2017 | D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) and REV. B (with firmware through FW208WWb02) devices use the same hardcoded /etc/stunnel.key private key across different customers' installations, which allows remote attackers to defeat the HTTPS cryptographic protection mechanisms by leveraging knowledge of this key from another installation. | |
| CVE-2017-14416 | Med | 0.40 | 6.1 | 0.00 | Sep 13, 2017 | D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) devices have XSS in the action parameter to htdocs/web/wandetect.php. | |
| CVE-2017-14415 | Med | 0.40 | 6.1 | 0.00 | Sep 13, 2017 | D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) devices have XSS in the action parameter to htdocs/web/sitesurvey.php. | |
| CVE-2017-14414 | Med | 0.40 | 6.1 | 0.00 | Sep 13, 2017 | D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) devices have XSS in the action parameter to htdocs/web/shareport.php. | |
| CVE-2017-14413 | Med | 0.40 | 6.1 | 0.00 | Sep 13, 2017 | D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) devices have XSS in the action parameter to htdocs/web/wpsacts.php. | |
| CVE-2017-14420 | Med | 0.38 | 5.9 | 0.00 | Sep 13, 2017 | The D-Link NPAPI extension, as used on D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) and REV. B (with firmware through FW208WWb02) devices, does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | |
| CVE-2017-14419 | Med | 0.38 | 5.9 | 0.00 | Sep 13, 2017 | The D-Link NPAPI extension, as used on D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) and REV. B (with firmware through FW208WWb02) devices, participates in mydlink Cloud Services by establishing a TCP relay service for HTTP, even though a TCP relay service for HTTPS is also established. |