VYPR

Vendor CVEs

Dlink

All CVEs

1,843 total · sorted by risk
  • CVE-2019-19598Dec 5, 2019
    risk 0.00cvss epss 0.03

    D-Link DAP-1860 devices before v1.04b03 Beta allow access to administrator functions without authentication via the HNAP_AUTH header timestamp value. In HTTP requests, part of the HNAP_AUTH header is the timestamp used to determine the time when the user sent the request. If…

  • CVE-2013-6811Nov 22, 2019
    risk 0.00cvss epss 0.01

    Multiple cross-site request forgery (CSRF) vulnerabilities in the D-Link DSL-6740U gateway (Rev. H1) allow remote attackers to hijack the authentication of administrators for requests that change administrator credentials or enable remote management services to (1) Custom…

  • CVE-2019-18852Nov 11, 2019
    risk 0.00cvss epss 0.02

    Certain D-Link devices have a hardcoded Alphanetworks user account with TELNET access because of /etc/config/image_sign or /etc/alpha_config/image_sign. This affects DIR-600 B1 V2.01 for WW, DIR-890L A1 v1.03, DIR-615 J1 v100 (for DCN), DIR-645 A1 v1.03, DIR-815 A1 v1.01,…

  • CVE-2013-4855Oct 25, 2019
    risk 0.00cvss epss 0.02

    D-Link DIR-865L has SMB Symlink Traversal due to misconfiguration in the SMB service allowing symbolic links to be created to locations outside of the Samba share.

  • CVE-2013-4856Oct 25, 2019
    risk 0.00cvss epss 0.01

    D-Link DIR-865L has Information Disclosure.

  • CVE-2013-4857Oct 25, 2019
    risk 0.00cvss epss 0.02

    D-Link DIR-865L has PHP File Inclusion in the router xml file.

  • CVE-2019-17512Oct 16, 2019
    risk 0.00cvss epss 0.02

    There are some web interfaces without authentication requirements on D-Link DIR-412 A1-1.14WW routers. An attacker can clear the router's log file via act=clear&logtype=sysact to log_clear.php, which could be used to erase attack traces.

  • CVE-2019-17663Oct 16, 2019
    risk 0.00cvss epss 0.01

    D-Link DIR-866L 1.03B04 devices allow XSS via HtmlResponseMessage in the device common gateway interface, leading to common injection.

  • CVE-2017-14948Oct 14, 2019
    risk 0.00cvss epss 0.05

    Certain D-Link products are affected by: Buffer Overflow. This affects DIR-880L 1.08B04 and DIR-895 L/R 1.13b03. The impact is: execute arbitrary code (remote). The component is: htdocs/fileaccess.cgi. The attack vector is: A crafted HTTP request handled by fileacces.cgi could…

  • CVE-2019-17511Oct 14, 2019
    risk 0.00cvss epss 0.02

    There are some web interfaces without authentication requirements on D-Link DIR-412 A1-1.14WW routers. An attacker can get the router's log file via log_get.php, which could be used to discover the intranet network structure.

  • CVE-2019-17507Oct 11, 2019
    risk 0.00cvss epss 0.02

    An issue was discovered on D-Link DIR-816 A1 1.06 devices. An attacker could access management pages of the router via a client that ignores the 'top.location.href = "/dir_login.asp"' line in a .asp file. This provides access to d_status.asp, version.asp, d_dhcptbl.asp, and…

  • CVE-2019-17509Oct 11, 2019
    risk 0.00cvss epss 0.03

    D-Link DIR-846 devices with firmware 100A35 allow remote attackers to execute arbitrary OS commands as root by leveraging admin access and sending a /HNAP1/ request for SetMasterWLanSettings with shell metacharacters to /squashfs-root/www/HNAP1/control/SetMasterWLanSettings.php.

  • CVE-2019-17510Oct 11, 2019
    risk 0.00cvss epss 0.04

    D-Link DIR-846 devices with firmware 100A35 allow remote attackers to execute arbitrary OS commands as root by leveraging admin access and sending a /HNAP1/ request for SetWizardConfig with shell metacharacters to /squashfs-root/www/HNAP1/control/SetWizardConfig.php.

  • CVE-2019-17505Oct 11, 2019
    risk 0.00cvss epss 0.02

    D-Link DAP-1320 A2-V1.21 routers have some web interfaces without authentication requirements, as demonstrated by uplink_info.xml. An attacker can remotely obtain a user's Wi-Fi SSID and password, which could be used to connect to Wi-Fi or perform a dictionary attack.

  • CVE-2019-17353Oct 9, 2019
    risk 0.00cvss epss 0.03

    An issue discovered on D-Link DIR-615 devices with firmware version 20.05 and 20.07. wan.htm can be accessed directly without authentication, which can lead to disclosure of information about the WAN, and can also be leveraged by an attacker to modify the data fields of the page.

  • CVE-2019-16190Sep 9, 2019
    risk 0.00cvss epss 0.03

    SharePort Web Access on D-Link DIR-868L REVB through 2.03, DIR-885L REVA through 1.20, and DIR-895L REVA through 1.21 devices allows Authentication Bypass, as demonstrated by a direct request to folder_view.php or category_view.php.

  • CVE-2019-10892Sep 6, 2019
    risk 0.00cvss epss 0.02

    An issue was discovered in D-Link DIR-806 devices. There is a stack-based buffer overflow in function hnap_main at /htdocs/cgibin. The function will call sprintf without checking the length of strings in parameters given by HTTP header and can be controlled by users. And it…

  • CVE-2019-13263Aug 27, 2019
    risk 0.00cvss epss 0.01

    D-link DIR-825AC G1 devices have Insufficient Compartmentalization between a host network and a guest network that are established by the same device. A DHCP Request is sent to the router with a certain Transaction ID field. Following the DHCP protocol, the router responds with…

  • CVE-2019-13264Aug 27, 2019
    risk 0.00cvss epss 0.01

    D-link DIR-825AC G1 devices have Insufficient Compartmentalization between a host network and a guest network that are established by the same device. In order to transfer data from the host network to the guest network, the sender joins and then leaves an IGMP group. After it…

  • CVE-2019-13265Aug 27, 2019
    risk 0.00cvss epss 0.01

    D-link DIR-825AC G1 devices have Insufficient Compartmentalization between a host network and a guest network that are established by the same device. They forward ARP requests, which are sent as broadcast packets, between the host and the guest networks. To use this leakage as…

  • CVE-2019-15526Aug 23, 2019
    risk 0.00cvss epss 0.04

    An issue was discovered on D-Link DIR-823G devices with firmware V1.0.2B05. There is a command injection in HNAP1 (exploitable with Authentication) via shell metacharacters in the Type field to SetWanSettings, a related issue to CVE-2019-13482.

  • CVE-2019-15527Aug 23, 2019
    risk 0.00cvss epss 0.04

    An issue was discovered on D-Link DIR-823G devices with firmware V1.0.2B05. There is a command injection in HNAP1 (exploitable with Authentication) via shell metacharacters in the MaxIdTime field to SetWanSettings.

  • CVE-2019-15528Aug 23, 2019
    risk 0.00cvss epss 0.04

    An issue was discovered on D-Link DIR-823G devices with firmware V1.0.2B05. There is a command injection in HNAP1 (exploitable with Authentication) via shell metacharacters in the Interface field to SetStaticRouteSettings.

  • CVE-2019-15530Aug 23, 2019
    risk 0.00cvss epss 0.04

    An issue was discovered on D-Link DIR-823G devices with firmware V1.0.2B05. There is a command injection in HNAP1 (exploitable with Authentication) via shell metacharacters in the LoginPassword field to Login.

  • CVE-2019-14335Aug 8, 2019
    risk 0.00cvss epss 0.01

    An issue was discovered on D-Link 6600-AP and DWL-3600AP Ax 4.2.0.14 21/03/2019 devices. There is post-authenticated denial of service leading to the reboot of the AP via the admin.cgi?action=%s URI.

  • CVE-2019-6969Aug 2, 2019
    risk 0.00cvss epss 0.03

    The web interface of the D-Link DVA-5592 20180823 is vulnerable to an authentication bypass that allows an unauthenticated user to have access to sensitive information such as the Wi-Fi password and the phone number (if VoIP is in use).

  • CVE-2019-6968Aug 2, 2019
    risk 0.00cvss epss 0.01

    The web interface of the D-Link DVA-5592 20180823 is vulnerable to XSS because HTML form parameters are directly reflected.

  • CVE-2019-14338Aug 1, 2019
    risk 0.00cvss epss 0.02

    An issue was discovered on D-Link 6600-AP and DWL-3600AP Ax 4.2.0.14 21/03/2019 devices. There is a post-authentication admin.cgi?action= XSS vulnerability on the management interface.

  • CVE-2019-14337Aug 1, 2019
    risk 0.00cvss epss 0.01

    An issue was discovered on D-Link 6600-AP and DWL-3600AP Ax 4.2.0.14 21/03/2019 devices. There is an ability to escape to a shell in the restricted command line interface, as demonstrated by the `/bin/sh -c wget` sequence.

  • CVE-2019-14336Aug 1, 2019
    risk 0.00cvss epss 0.01

    An issue was discovered on D-Link 6600-AP and DWL-3600AP Ax 4.2.0.14 21/03/2019 devices. There is post-authenticated dump of all of the config files through a certain admin.cgi?action= insecure HTTP request.

  • CVE-2019-14334Aug 1, 2019
    risk 0.00cvss epss 0.00

    An issue was discovered on D-Link 6600-AP, DWL-3600AP, and DWL-8610AP Ax 4.2.0.14 21/03/2019 devices. There is post-authenticated Certificate and RSA Private Key extraction through an insecure sslcert-get.cgi HTTP command.

  • CVE-2019-14333Aug 1, 2019
    risk 0.00cvss epss 0.01

    An issue was discovered on D-Link 6600-AP and DWL-3600AP Ax 4.2.0.14 21/03/2019 devices. There is a pre-authenticated denial of service attack against the access point via a long action parameter to admin.cgi.

  • CVE-2019-14332Aug 1, 2019
    risk 0.00cvss epss 0.01

    An issue was discovered on D-Link 6600-AP and DWL-3600AP Ax 4.2.0.14 21/03/2019 devices. There is use of weak ciphers for SSH such as diffie-hellman-group1-sha1.

  • CVE-2019-1010155Jul 23, 2019
    risk 0.00cvss epss 0.09

    D-Link DSL-2750U 1.11 is affected by: Authentication Bypass. The impact is: denial of service and information leakage. The component is: login. NOTE: Third parties dispute this issues as not being a vulnerability because although the wizard is accessible without authentication,…

  • CVE-2019-13563Jul 11, 2019
    risk 0.00cvss epss 0.01

    D-Link DIR-655 C devices before 3.02B05 BETA03 allow CSRF for the entire management console.

  • CVE-2019-13562Jul 11, 2019
    risk 0.00cvss epss 0.02

    D-Link DIR-655 C devices before 3.02B05 BETA03 allow XSS, as demonstrated by the /www/ping_response.cgi ping_ipaddr parameter, the /www/ping6_response.cgi ping6_ipaddr parameter, and the /www/apply_sec.cgi html_response_return_page parameter.

  • CVE-2019-13560Jul 11, 2019
    risk 0.00cvss epss 0.04

    D-Link DIR-655 C devices before 3.02B05 BETA03 allow remote attackers to force a blank password via the apply_sec.cgi setup_wizard parameter.

  • CVE-2019-13375Jul 6, 2019
    risk 0.00cvss epss 0.28

    A SQL Injection was discovered in D-Link Central WiFi Manager CWM(100) before v1.03R0100_BETA6 in PayAction.class.php with the index.php/Pay/passcodeAuth parameter passcode. The vulnerability does not need any authentication.

  • CVE-2019-13374Jul 6, 2019
    risk 0.00cvss epss 0.02

    A cross-site scripting (XSS) vulnerability in resource view in PayAction.class.php in D-Link Central WiFi Manager CWM(100) before v1.03R0100_BETA6 allows remote attackers to inject arbitrary web script or HTML via the index.php/Pay/passcodeAuth passcode parameter.

  • CVE-2017-8416Jul 2, 2019
    risk 0.00cvss epss 0.12

    An issue was discovered on D-Link DCS-1100 and DCS-1130 devices. The device runs a custom daemon on UDP port 5978 which is called "dldps2121" and listens for broadcast packets sent on 255.255.255.255. This daemon handles custom D-Link UDP based protocol that allows D-Link mobile…

  • CVE-2017-8413Jul 2, 2019
    risk 0.00cvss epss 0.10

    An issue was discovered on D-Link DCS-1100 and DCS-1130 devices. The device runs a custom daemon on UDP port 5978 which is called "dldps2121" and listens for broadcast packets sent on 255.255.255.255. This daemon handles custom D-Link UDP based protocol that allows D-Link mobile…

  • CVE-2017-8415Jul 2, 2019
    risk 0.00cvss epss 0.04

    An issue was discovered on D-Link DCS-1100 and DCS-1130 devices. The device has a custom telnet daemon as a part of the busybox and retrieves the password from the shadow file using the function getspnam at address 0x00053894. Then performs a crypt operation on the password…

  • CVE-2017-8412Jul 2, 2019
    risk 0.00cvss epss 0.06

    An issue was discovered on D-Link DCS-1100 and DCS-1130 devices. The device has a custom binary called mp4ts under the /var/www/video folder. It seems that this binary dumps the HTTP VERB in the system logs. As a part of doing that it retrieves the HTTP VERB sent by the user and…

  • CVE-2017-8417Jul 2, 2019
    risk 0.00cvss epss 0.04

    An issue was discovered on D-Link DCS-1100 and DCS-1130 devices. The device requires that a user logging into the device provide a username and password. However, the device allows D-Link apps on the mobile devices and desktop to communicate with the device without any…

  • CVE-2017-8414Jul 2, 2019
    risk 0.00cvss epss 0.02

    An issue was discovered on D-Link DCS-1100 and DCS-1130 devices. The binary orthrus in /sbin folder of the device handles all the UPnP connections received by the device. It seems that the binary performs a sprintf operation at address 0x0000A3E4 with the value in the command…

  • CVE-2017-8410Jul 2, 2019
    risk 0.00cvss epss 0.06

    An issue was discovered on D-Link DCS-1100 and DCS-1130 devices. The binary rtspd in /sbin folder of the device handles all the rtsp connections received by the device. It seems that the binary performs a memcpy operation at address 0x00011E34 with the value sent in the…

  • CVE-2017-8405Jul 2, 2019
    risk 0.00cvss epss 0.03

    An issue was discovered on D-Link DCS-1130 and DCS-1100 devices. The binary rtspd in /sbin folder of the device handles all the rtsp connections received by the device. It seems that the binary loads at address 0x00012CF4 a flag called "Authenticate" that indicates whether a…

  • CVE-2017-8409Jul 2, 2019
    risk 0.00cvss epss 0.03

    An issue was discovered on D-Link DCS-1130 devices. The device requires that a user logging to the device to provide a username and password. However, the device does not enforce the same restriction on a specific URL thereby allowing any attacker in possession of that to view…

  • CVE-2017-8406Jul 2, 2019
    risk 0.00cvss epss 0.01

    An issue was discovered on D-Link DCS-1130 devices. The device provides a crossdomain.xml file with no restrictions on who can access the webserver. This allows an hosted flash file on any domain to make calls to the device's webserver and pull any information that is stored on…

  • CVE-2017-8407Jul 2, 2019
    risk 0.00cvss epss 0.01

    An issue was discovered on D-Link DCS-1130 devices. The device provides a user with the capability of changing the administrative password for the web management interface. It seems that the device does not implement any cross-site request forgery protection mechanism which…