Vendor CVEs
Dlink
All CVEs
1,843 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-15894 | 0.00 | — | 0.02 | Jul 22, 2020 | An issue was discovered on D-Link DIR-816L devices 2.x before 1.10b04Beta02. There exists an exposed administration function in getcfg.php, which can be used to call various services. It can be utilized by an attacker to retrieve various sensitive information, such as admin… | |||
| CVE-2020-15896 | 0.00 | — | 0.02 | Jul 22, 2020 | An authentication-bypass issue was discovered on D-Link DAP-1522 devices 1.4x before 1.10b04Beta02. There exist a few pages that are directly accessible by any unauthorized user, e.g., logout.php and login.php. This occurs because of checking the value of NO_NEED_AUTH. If the… | |||
| CVE-2020-12774 | 0.00 | — | 0.00 | Jul 22, 2020 | D-Link DSL-7740C does not properly validate user input, which allows an authenticated LAN user to inject arbitrary command. | |||
| CVE-2020-13150 | 0.00 | — | 0.00 | Jun 15, 2020 | D-link DSL-2750U ISL2750UEME3.V1E devices allow approximately 90 seconds of access to the control panel, after a restart, before MAC address filtering rules become active. | |||
| CVE-2020-13960 | 0.00 | — | 0.01 | Jun 8, 2020 | D-Link DSL 2730-U IN_1.10 and IN_1.11 and DIR-600M 3.04 devices have the domain.name string in the DNS resolver search path by default, which allows remote attackers to provide valid DNS responses (and also offer Internet services such as HTTP) for names that otherwise would… | |||
| CVE-2020-13783 | 0.00 | — | 0.01 | Jun 3, 2020 | D-Link DIR-865L Ax 1.20B01 Beta devices have Cleartext Storage of Sensitive Information. | |||
| CVE-2020-13784 | 0.00 | — | 0.01 | Jun 3, 2020 | D-Link DIR-865L Ax 1.20B01 Beta devices have a predictable seed in a Pseudo-Random Number Generator. | |||
| CVE-2020-13785 | 0.00 | — | 0.01 | Jun 3, 2020 | D-Link DIR-865L Ax 1.20B01 Beta devices have Inadequate Encryption Strength. | |||
| CVE-2020-13786 | 0.00 | — | 0.01 | Jun 3, 2020 | D-Link DIR-865L Ax 1.20B01 Beta devices allow CSRF. | |||
| CVE-2020-13787 | 0.00 | — | 0.01 | Jun 3, 2020 | D-Link DIR-865L Ax 1.20B01 Beta devices have Cleartext Transmission of Sensitive Information. | |||
| CVE-2020-13135 | 0.00 | — | 0.01 | May 18, 2020 | D-Link DSP-W215 1.26b03 devices allow information disclosure by intercepting messages on the local network, as demonstrated by a Squid Proxy. | |||
| CVE-2020-13136 | 0.00 | — | 0.01 | May 18, 2020 | D-Link DSP-W215 1.26b03 devices send an obfuscated hash that can be retrieved and understood by a network sniffer. | |||
| CVE-2019-18666 | 0.00 | — | 0.03 | May 15, 2020 | An issue was discovered on D-Link DAP-1360 revision F devices. Remote attackers can start a telnet service without authorization via an undocumented HTTP request. Although this is the primary vulnerability, the impact depends on the firmware version. Versions 609EU through… | |||
| CVE-2020-9279 | 0.00 | — | 0.02 | Apr 20, 2020 | An issue was discovered on D-Link DSL-2640B B2 EU_4.01B devices. A hard-coded account allows management-interface login with high privileges. The logged-in user can perform critical tasks and take full control of the device. | |||
| CVE-2020-9278 | 0.00 | — | 0.02 | Apr 20, 2020 | An issue was discovered on D-Link DSL-2640B B2 EU_4.01B devices. The device can be reset to its default configuration by accessing an unauthenticated URL. | |||
| CVE-2020-9277 | 0.00 | — | 0.02 | Apr 20, 2020 | An issue was discovered on D-Link DSL-2640B B2 EU_4.01B devices. Authentication can be bypassed when accessing cgi modules. This allows one to perform administrative tasks (e.g., modify the admin password) with no authentication. | |||
| CVE-2020-9276 | 0.00 | — | 0.03 | Apr 20, 2020 | An issue was discovered on D-Link DSL-2640B B2 EU_4.01B devices. The function do_cgi(), which processes cgi requests supplied to the device's web servers, is vulnerable to a remotely exploitable stack-based buffer overflow. Unauthenticated exploitation is possible by combining… | |||
| CVE-2020-9275 | 0.00 | — | 0.02 | Apr 20, 2020 | An issue was discovered on D-Link DSL-2640B B2 EU_4.01B devices. A cfm UDP service listening on port 65002 allows remote, unauthenticated exfiltration of administrative credentials. | |||
| CVE-2020-6765 | 0.00 | — | 0.01 | Apr 10, 2020 | D-Link DSL-GS225 J1 AU_1.0.4 devices allow an admin to execute OS commands by placing shell metacharacters after a supported CLI command, as demonstrated by ping -c1 127.0.0.1; cat/etc/passwd. The CLI is reachable by TELNET. | |||
| CVE-2020-8863 | 0.00 | — | 0.77 | Mar 23, 2020 | This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DIR-867, DIR-878, and DIR-882 routers with firmware 1.10B04. Authentication is not required to exploit this vulnerability. The specific flaw exists within the… | |||
| CVE-2019-12767 | 0.00 | — | 0.02 | Mar 21, 2020 | An issue was discovered on D-Link DAP-1650 devices before 1.04B02_J65H Hot Fix. Attackers can execute arbitrary commands. | |||
| CVE-2019-15656 | 0.00 | — | 0.01 | Mar 19, 2020 | D-Link DSL-2875AL and DSL-2877AL devices through 1.00.05 are prone to information disclosure via a simple crafted request to index.asp on the web management server because of username_v and password_v variables. | |||
| CVE-2019-15655 | 0.00 | — | 0.01 | Mar 19, 2020 | D-Link DSL-2875AL devices through 1.00.05 are prone to password disclosure via a simple crafted /romfile.cfg request to the web management server. This request doesn't require any authentication and will lead to saving the configuration file. The password is stored in cleartext. | |||
| CVE-2020-10214 | 0.00 | — | 0.18 | Mar 7, 2020 | An issue was discovered on D-Link DIR-825 Rev.B 2.10 devices. There is a stack-based buffer overflow in the httpd binary. It allows an authenticated user to execute arbitrary code via a POST to ntp_sync.cgi with a sufficiently long parameter ntp_server. | |||
| CVE-2020-10215 | 0.00 | — | 0.06 | Mar 7, 2020 | An issue was discovered on D-Link DIR-825 Rev.B 2.10 devices. They allow remote attackers to execute arbitrary commands via the dns_query_name parameter in a dns_query.cgi POST request. TRENDnet TEW-632BRP 1.010B32 is also affected. | |||
| CVE-2020-10216 | 0.00 | — | 0.06 | Mar 7, 2020 | An issue was discovered on D-Link DIR-825 Rev.B 2.10 devices. They allow remote attackers to execute arbitrary commands via the date parameter in a system_time.cgi POST request. TRENDnet TEW-632BRP 1.010B32 is also affected. | |||
| CVE-2020-10213 | 0.00 | — | 0.05 | Mar 7, 2020 | An issue was discovered on D-Link DIR-825 Rev.B 2.10 devices. They allow remote attackers to execute arbitrary commands via the wps_sta_enrollee_pin parameter in a set_sta_enrollee_pin.cgi POST request. TRENDnet TEW-632BRP 1.010B32 is also affected. | |||
| CVE-2020-9544 | 0.00 | — | 0.01 | Mar 5, 2020 | An issue was discovered on D-Link DSL-2640B E1 EU_1.01 devices. The administrative interface doesn't perform authentication checks for a firmware-update POST request. Any attacker that can access the administrative interface can install firmware of their choice. | |||
| CVE-2019-19226 | 0.00 | — | 0.03 | Mar 4, 2020 | A Broken Access Control vulnerability in the D-Link DSL-2680 web administration interface (Firmware EU_1.03) allows an attacker to enable or disable MAC address filtering by submitting a crafted Forms/WlanMacFilter_1 POST request without being authenticated on the admin… | |||
| CVE-2019-19225 | 0.00 | — | 0.03 | Mar 4, 2020 | A Broken Access Control vulnerability in the D-Link DSL-2680 web administration interface (Firmware EU_1.03) allows an attacker to change DNS servers without being authenticated on the admin interface by submitting a crafted Forms/dns_1 POST request. | |||
| CVE-2019-19224 | 0.00 | — | 0.03 | Mar 4, 2020 | A Broken Access Control vulnerability in the D-Link DSL-2680 web administration interface (Firmware EU_1.03) allows an attacker to download the configuration (binary file) settings by submitting a rom-0 GET request without being authenticated on the admin interface. | |||
| CVE-2019-19223 | 0.00 | — | 0.04 | Mar 4, 2020 | A Broken Access Control vulnerability in the D-Link DSL-2680 web administration interface (Firmware EU_1.03) allows an attacker to reboot the router by submitting a reboot.html GET request without being authenticated on the admin interface. | |||
| CVE-2019-19222 | 0.00 | — | 0.02 | Mar 4, 2020 | A Stored XSS issue in the D-Link DSL-2680 web administration interface (Firmware EU_1.03) allows an authenticated attacker to inject arbitrary JavaScript code into the info.html administration page by sending a crafted Forms/wireless_autonetwork_1 POST request. | |||
| CVE-2020-9534 | 0.00 | — | 0.02 | Mar 1, 2020 | fmwlan.c on D-Link DIR-615Jx10 devices has a stack-based buffer overflow via the formWlanSetup webpage parameter when f_radius_ip1 is malformed. | |||
| CVE-2020-9535 | 0.00 | — | 0.02 | Mar 1, 2020 | fmwlan.c on D-Link DIR-615Jx10 devices has a stack-based buffer overflow via the formWlanSetup_Wizard webpage parameter when f_radius_ip1 is malformed. | |||
| CVE-2020-8862 | 0.00 | — | 0.13 | Feb 22, 2020 | This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DAP-2610 Firmware v2.01RC067 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of passwords. The… | |||
| CVE-2020-8861 | 0.00 | — | 0.07 | Feb 22, 2020 | This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DAP-1330 1.10B01 BETA Wi-Fi range extenders. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of HNAP login… | |||
| CVE-2020-6842 | 0.00 | — | 0.02 | Feb 21, 2020 | D-Link DCH-M225 1.05b01 and earlier devices allow remote authenticated admins to execute arbitrary OS commands via shell metacharacters in the media renderer name. | |||
| CVE-2020-6841 | 0.00 | — | 0.03 | Feb 21, 2020 | D-Link DCH-M225 1.05b01 and earlier devices allow remote attackers to execute arbitrary OS commands via shell metacharacters in the spotifyConnect.php userName parameter. | |||
| CVE-2020-8962 | 0.00 | — | 0.02 | Feb 13, 2020 | A stack-based buffer overflow was found on the D-Link DIR-842 REVC with firmware v3.13B09 HOTFIX due to the use of strcpy for LOGINPASSWORD when handling a POST request to the /MTFWU endpoint. | |||
| CVE-2013-3096 | 0.00 | — | 0.01 | Feb 7, 2020 | D-Link DIR865L v1.03 suffers from an "Unauthenticated Hardware Linking" vulnerability. | |||
| CVE-2019-20217 | 0.00 | — | 0.04 | Jan 29, 2020 | D-Link DIR-859 1.05 and 1.06B01 Beta01 devices allow remote attackers to execute arbitrary OS commands via the urn: to the M-SEARCH method in ssdpcgi() in /htdocs/cgibin, because SERVER_ID is mishandled. The value of the urn: service/device is checked with the strstr function,… | |||
| CVE-2019-20216 | 0.00 | — | 0.04 | Jan 29, 2020 | D-Link DIR-859 1.05 and 1.06B01 Beta01 devices allow remote attackers to execute arbitrary OS commands via the urn: to the M-SEARCH method in ssdpcgi() in /htdocs/cgibin, because REMOTE_PORT is mishandled. The value of the urn: service/device is checked with the strstr function,… | |||
| CVE-2012-6613 | 0.00 | — | 0.02 | Jan 25, 2020 | D-Link DSR-250N devices with firmware 1.05B73_WW allow Persistent Root Access because of the admin password for the admin account. | |||
| CVE-2019-20213 | 0.00 | — | 0.02 | Jan 2, 2020 | D-Link DIR-859 routers before v1.07b03_beta allow Unauthenticated Information Disclosure via the AUTHORIZED_GROUP=1%0a value, as demonstrated by vpnconfig.php. | |||
| CVE-2018-7859 | 0.00 | — | 0.01 | Dec 30, 2019 | A security vulnerability in D-Link DGS-1510-series switches with firmware 1.20.011, 1.30.007, 1.31.B003 and older that may allow a remote attacker to inject malicious scripts in the device and execute commands via browser that is configuring the unit. | |||
| CVE-2019-16327 | 0.00 | — | 0.02 | Dec 26, 2019 | D-Link DIR-601 B1 2.00NA devices are vulnerable to authentication bypass. They do not check for authentication at the server side and rely on client-side validation, which is bypassable. NOTE: this is an end-of-life product. | |||
| CVE-2019-16326 | 0.00 | — | 0.01 | Dec 26, 2019 | D-Link DIR-601 B1 2.00NA devices have CSRF because no anti-CSRF token is implemented. A remote attacker could exploit this in conjunction with CVE-2019-16327 to enable remote router management and device compromise. NOTE: this is an end-of-life product. | |||
| CVE-2019-6014 | 0.00 | — | 0.01 | Dec 26, 2019 | DBA-1510P firmware 1.70b009 and earlier allows an attacker to execute arbitrary OS commands via Web User Interface. | |||
| CVE-2019-6013 | 0.00 | — | 0.01 | Dec 26, 2019 | DBA-1510P firmware 1.70b009 and earlier allows authenticated attackers to execute arbitrary OS commands via Command Line Interface (CLI). |
- CVE-2020-15894Jul 22, 2020risk 0.00cvss —epss 0.02
An issue was discovered on D-Link DIR-816L devices 2.x before 1.10b04Beta02. There exists an exposed administration function in getcfg.php, which can be used to call various services. It can be utilized by an attacker to retrieve various sensitive information, such as admin…
- CVE-2020-15896Jul 22, 2020risk 0.00cvss —epss 0.02
An authentication-bypass issue was discovered on D-Link DAP-1522 devices 1.4x before 1.10b04Beta02. There exist a few pages that are directly accessible by any unauthorized user, e.g., logout.php and login.php. This occurs because of checking the value of NO_NEED_AUTH. If the…
- CVE-2020-12774Jul 22, 2020risk 0.00cvss —epss 0.00
D-Link DSL-7740C does not properly validate user input, which allows an authenticated LAN user to inject arbitrary command.
- CVE-2020-13150Jun 15, 2020risk 0.00cvss —epss 0.00
D-link DSL-2750U ISL2750UEME3.V1E devices allow approximately 90 seconds of access to the control panel, after a restart, before MAC address filtering rules become active.
- CVE-2020-13960Jun 8, 2020risk 0.00cvss —epss 0.01
D-Link DSL 2730-U IN_1.10 and IN_1.11 and DIR-600M 3.04 devices have the domain.name string in the DNS resolver search path by default, which allows remote attackers to provide valid DNS responses (and also offer Internet services such as HTTP) for names that otherwise would…
- CVE-2020-13783Jun 3, 2020risk 0.00cvss —epss 0.01
D-Link DIR-865L Ax 1.20B01 Beta devices have Cleartext Storage of Sensitive Information.
- CVE-2020-13784Jun 3, 2020risk 0.00cvss —epss 0.01
D-Link DIR-865L Ax 1.20B01 Beta devices have a predictable seed in a Pseudo-Random Number Generator.
- CVE-2020-13785Jun 3, 2020risk 0.00cvss —epss 0.01
D-Link DIR-865L Ax 1.20B01 Beta devices have Inadequate Encryption Strength.
- CVE-2020-13786Jun 3, 2020risk 0.00cvss —epss 0.01
D-Link DIR-865L Ax 1.20B01 Beta devices allow CSRF.
- CVE-2020-13787Jun 3, 2020risk 0.00cvss —epss 0.01
D-Link DIR-865L Ax 1.20B01 Beta devices have Cleartext Transmission of Sensitive Information.
- CVE-2020-13135May 18, 2020risk 0.00cvss —epss 0.01
D-Link DSP-W215 1.26b03 devices allow information disclosure by intercepting messages on the local network, as demonstrated by a Squid Proxy.
- CVE-2020-13136May 18, 2020risk 0.00cvss —epss 0.01
D-Link DSP-W215 1.26b03 devices send an obfuscated hash that can be retrieved and understood by a network sniffer.
- CVE-2019-18666May 15, 2020risk 0.00cvss —epss 0.03
An issue was discovered on D-Link DAP-1360 revision F devices. Remote attackers can start a telnet service without authorization via an undocumented HTTP request. Although this is the primary vulnerability, the impact depends on the firmware version. Versions 609EU through…
- CVE-2020-9279Apr 20, 2020risk 0.00cvss —epss 0.02
An issue was discovered on D-Link DSL-2640B B2 EU_4.01B devices. A hard-coded account allows management-interface login with high privileges. The logged-in user can perform critical tasks and take full control of the device.
- CVE-2020-9278Apr 20, 2020risk 0.00cvss —epss 0.02
An issue was discovered on D-Link DSL-2640B B2 EU_4.01B devices. The device can be reset to its default configuration by accessing an unauthenticated URL.
- CVE-2020-9277Apr 20, 2020risk 0.00cvss —epss 0.02
An issue was discovered on D-Link DSL-2640B B2 EU_4.01B devices. Authentication can be bypassed when accessing cgi modules. This allows one to perform administrative tasks (e.g., modify the admin password) with no authentication.
- CVE-2020-9276Apr 20, 2020risk 0.00cvss —epss 0.03
An issue was discovered on D-Link DSL-2640B B2 EU_4.01B devices. The function do_cgi(), which processes cgi requests supplied to the device's web servers, is vulnerable to a remotely exploitable stack-based buffer overflow. Unauthenticated exploitation is possible by combining…
- CVE-2020-9275Apr 20, 2020risk 0.00cvss —epss 0.02
An issue was discovered on D-Link DSL-2640B B2 EU_4.01B devices. A cfm UDP service listening on port 65002 allows remote, unauthenticated exfiltration of administrative credentials.
- CVE-2020-6765Apr 10, 2020risk 0.00cvss —epss 0.01
D-Link DSL-GS225 J1 AU_1.0.4 devices allow an admin to execute OS commands by placing shell metacharacters after a supported CLI command, as demonstrated by ping -c1 127.0.0.1; cat/etc/passwd. The CLI is reachable by TELNET.
- CVE-2020-8863Mar 23, 2020risk 0.00cvss —epss 0.77
This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DIR-867, DIR-878, and DIR-882 routers with firmware 1.10B04. Authentication is not required to exploit this vulnerability. The specific flaw exists within the…
- CVE-2019-12767Mar 21, 2020risk 0.00cvss —epss 0.02
An issue was discovered on D-Link DAP-1650 devices before 1.04B02_J65H Hot Fix. Attackers can execute arbitrary commands.
- CVE-2019-15656Mar 19, 2020risk 0.00cvss —epss 0.01
D-Link DSL-2875AL and DSL-2877AL devices through 1.00.05 are prone to information disclosure via a simple crafted request to index.asp on the web management server because of username_v and password_v variables.
- CVE-2019-15655Mar 19, 2020risk 0.00cvss —epss 0.01
D-Link DSL-2875AL devices through 1.00.05 are prone to password disclosure via a simple crafted /romfile.cfg request to the web management server. This request doesn't require any authentication and will lead to saving the configuration file. The password is stored in cleartext.
- CVE-2020-10214Mar 7, 2020risk 0.00cvss —epss 0.18
An issue was discovered on D-Link DIR-825 Rev.B 2.10 devices. There is a stack-based buffer overflow in the httpd binary. It allows an authenticated user to execute arbitrary code via a POST to ntp_sync.cgi with a sufficiently long parameter ntp_server.
- CVE-2020-10215Mar 7, 2020risk 0.00cvss —epss 0.06
An issue was discovered on D-Link DIR-825 Rev.B 2.10 devices. They allow remote attackers to execute arbitrary commands via the dns_query_name parameter in a dns_query.cgi POST request. TRENDnet TEW-632BRP 1.010B32 is also affected.
- CVE-2020-10216Mar 7, 2020risk 0.00cvss —epss 0.06
An issue was discovered on D-Link DIR-825 Rev.B 2.10 devices. They allow remote attackers to execute arbitrary commands via the date parameter in a system_time.cgi POST request. TRENDnet TEW-632BRP 1.010B32 is also affected.
- CVE-2020-10213Mar 7, 2020risk 0.00cvss —epss 0.05
An issue was discovered on D-Link DIR-825 Rev.B 2.10 devices. They allow remote attackers to execute arbitrary commands via the wps_sta_enrollee_pin parameter in a set_sta_enrollee_pin.cgi POST request. TRENDnet TEW-632BRP 1.010B32 is also affected.
- CVE-2020-9544Mar 5, 2020risk 0.00cvss —epss 0.01
An issue was discovered on D-Link DSL-2640B E1 EU_1.01 devices. The administrative interface doesn't perform authentication checks for a firmware-update POST request. Any attacker that can access the administrative interface can install firmware of their choice.
- CVE-2019-19226Mar 4, 2020risk 0.00cvss —epss 0.03
A Broken Access Control vulnerability in the D-Link DSL-2680 web administration interface (Firmware EU_1.03) allows an attacker to enable or disable MAC address filtering by submitting a crafted Forms/WlanMacFilter_1 POST request without being authenticated on the admin…
- CVE-2019-19225Mar 4, 2020risk 0.00cvss —epss 0.03
A Broken Access Control vulnerability in the D-Link DSL-2680 web administration interface (Firmware EU_1.03) allows an attacker to change DNS servers without being authenticated on the admin interface by submitting a crafted Forms/dns_1 POST request.
- CVE-2019-19224Mar 4, 2020risk 0.00cvss —epss 0.03
A Broken Access Control vulnerability in the D-Link DSL-2680 web administration interface (Firmware EU_1.03) allows an attacker to download the configuration (binary file) settings by submitting a rom-0 GET request without being authenticated on the admin interface.
- CVE-2019-19223Mar 4, 2020risk 0.00cvss —epss 0.04
A Broken Access Control vulnerability in the D-Link DSL-2680 web administration interface (Firmware EU_1.03) allows an attacker to reboot the router by submitting a reboot.html GET request without being authenticated on the admin interface.
- CVE-2019-19222Mar 4, 2020risk 0.00cvss —epss 0.02
A Stored XSS issue in the D-Link DSL-2680 web administration interface (Firmware EU_1.03) allows an authenticated attacker to inject arbitrary JavaScript code into the info.html administration page by sending a crafted Forms/wireless_autonetwork_1 POST request.
- CVE-2020-9534Mar 1, 2020risk 0.00cvss —epss 0.02
fmwlan.c on D-Link DIR-615Jx10 devices has a stack-based buffer overflow via the formWlanSetup webpage parameter when f_radius_ip1 is malformed.
- CVE-2020-9535Mar 1, 2020risk 0.00cvss —epss 0.02
fmwlan.c on D-Link DIR-615Jx10 devices has a stack-based buffer overflow via the formWlanSetup_Wizard webpage parameter when f_radius_ip1 is malformed.
- CVE-2020-8862Feb 22, 2020risk 0.00cvss —epss 0.13
This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DAP-2610 Firmware v2.01RC067 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of passwords. The…
- CVE-2020-8861Feb 22, 2020risk 0.00cvss —epss 0.07
This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DAP-1330 1.10B01 BETA Wi-Fi range extenders. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of HNAP login…
- CVE-2020-6842Feb 21, 2020risk 0.00cvss —epss 0.02
D-Link DCH-M225 1.05b01 and earlier devices allow remote authenticated admins to execute arbitrary OS commands via shell metacharacters in the media renderer name.
- CVE-2020-6841Feb 21, 2020risk 0.00cvss —epss 0.03
D-Link DCH-M225 1.05b01 and earlier devices allow remote attackers to execute arbitrary OS commands via shell metacharacters in the spotifyConnect.php userName parameter.
- CVE-2020-8962Feb 13, 2020risk 0.00cvss —epss 0.02
A stack-based buffer overflow was found on the D-Link DIR-842 REVC with firmware v3.13B09 HOTFIX due to the use of strcpy for LOGINPASSWORD when handling a POST request to the /MTFWU endpoint.
- CVE-2013-3096Feb 7, 2020risk 0.00cvss —epss 0.01
D-Link DIR865L v1.03 suffers from an "Unauthenticated Hardware Linking" vulnerability.
- CVE-2019-20217Jan 29, 2020risk 0.00cvss —epss 0.04
D-Link DIR-859 1.05 and 1.06B01 Beta01 devices allow remote attackers to execute arbitrary OS commands via the urn: to the M-SEARCH method in ssdpcgi() in /htdocs/cgibin, because SERVER_ID is mishandled. The value of the urn: service/device is checked with the strstr function,…
- CVE-2019-20216Jan 29, 2020risk 0.00cvss —epss 0.04
D-Link DIR-859 1.05 and 1.06B01 Beta01 devices allow remote attackers to execute arbitrary OS commands via the urn: to the M-SEARCH method in ssdpcgi() in /htdocs/cgibin, because REMOTE_PORT is mishandled. The value of the urn: service/device is checked with the strstr function,…
- CVE-2012-6613Jan 25, 2020risk 0.00cvss —epss 0.02
D-Link DSR-250N devices with firmware 1.05B73_WW allow Persistent Root Access because of the admin password for the admin account.
- CVE-2019-20213Jan 2, 2020risk 0.00cvss —epss 0.02
D-Link DIR-859 routers before v1.07b03_beta allow Unauthenticated Information Disclosure via the AUTHORIZED_GROUP=1%0a value, as demonstrated by vpnconfig.php.
- CVE-2018-7859Dec 30, 2019risk 0.00cvss —epss 0.01
A security vulnerability in D-Link DGS-1510-series switches with firmware 1.20.011, 1.30.007, 1.31.B003 and older that may allow a remote attacker to inject malicious scripts in the device and execute commands via browser that is configuring the unit.
- CVE-2019-16327Dec 26, 2019risk 0.00cvss —epss 0.02
D-Link DIR-601 B1 2.00NA devices are vulnerable to authentication bypass. They do not check for authentication at the server side and rely on client-side validation, which is bypassable. NOTE: this is an end-of-life product.
- CVE-2019-16326Dec 26, 2019risk 0.00cvss —epss 0.01
D-Link DIR-601 B1 2.00NA devices have CSRF because no anti-CSRF token is implemented. A remote attacker could exploit this in conjunction with CVE-2019-16327 to enable remote router management and device compromise. NOTE: this is an end-of-life product.
- CVE-2019-6014Dec 26, 2019risk 0.00cvss —epss 0.01
DBA-1510P firmware 1.70b009 and earlier allows an attacker to execute arbitrary OS commands via Web User Interface.
- CVE-2019-6013Dec 26, 2019risk 0.00cvss —epss 0.01
DBA-1510P firmware 1.70b009 and earlier allows authenticated attackers to execute arbitrary OS commands via Command Line Interface (CLI).
Page 34 of 37