Filtered by vendor Dlink
Subscriptions
Total
1170 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2019-19223 | 1 Dlink | 2 Dsl-2680, Dsl-2680 Firmware | 2024-11-21 | 7.5 High |
| A Broken Access Control vulnerability in the D-Link DSL-2680 web administration interface (Firmware EU_1.03) allows an attacker to reboot the router by submitting a reboot.html GET request without being authenticated on the admin interface. | ||||
| CVE-2019-19222 | 1 Dlink | 2 Dsl-2680, Dsl-2680 Firmware | 2024-11-21 | 5.4 Medium |
| A Stored XSS issue in the D-Link DSL-2680 web administration interface (Firmware EU_1.03) allows an authenticated attacker to inject arbitrary JavaScript code into the info.html administration page by sending a crafted Forms/wireless_autonetwork_1 POST request. | ||||
| CVE-2019-18852 | 1 Dlink | 14 Dir-600 B1, Dir-600 B1 Firmware, Dir-615 J1 and 11 more | 2024-11-21 | 9.8 Critical |
| Certain D-Link devices have a hardcoded Alphanetworks user account with TELNET access because of /etc/config/image_sign or /etc/alpha_config/image_sign. This affects DIR-600 B1 V2.01 for WW, DIR-890L A1 v1.03, DIR-615 J1 v100 (for DCN), DIR-645 A1 v1.03, DIR-815 A1 v1.01, DIR-823 A1 v1.01, and DIR-842 C1 v3.00. | ||||
| CVE-2019-18666 | 1 Dlink | 2 Dap-1360 Revision F, Dap-1360 Revision F Firmware | 2024-11-21 | 9.8 Critical |
| An issue was discovered on D-Link DAP-1360 revision F devices. Remote attackers can start a telnet service without authorization via an undocumented HTTP request. Although this is the primary vulnerability, the impact depends on the firmware version. Versions 609EU through 613EUbeta were tested. Versions through 6.12b01 have weak root credentials, allowing an attacker to gain remote root access. After 6.12b01, the root credentials were changed but the telnet service can still be started without authorization. | ||||
| CVE-2019-17663 | 2 D-link, Dlink | 2 Dir-866l Firmware, Dir-866l | 2024-11-21 | 6.1 Medium |
| D-Link DIR-866L 1.03B04 devices allow XSS via HtmlResponseMessage in the device common gateway interface, leading to common injection. | ||||
| CVE-2019-17525 | 1 Dlink | 2 Dir-615, Dir-615 Firmware | 2024-11-21 | 8.8 High |
| The login page on D-Link DIR-615 T1 20.10 devices allows remote attackers to bypass the CAPTCHA protection mechanism and conduct brute-force attacks. | ||||
| CVE-2019-17512 | 1 Dlink | 2 Dir-412, Dir-412 Firmware | 2024-11-21 | 9.1 Critical |
| There are some web interfaces without authentication requirements on D-Link DIR-412 A1-1.14WW routers. An attacker can clear the router's log file via act=clear&logtype=sysact to log_clear.php, which could be used to erase attack traces. | ||||
| CVE-2019-17511 | 1 Dlink | 2 Dir-412, Dir-412 Firmware | 2024-11-21 | 7.5 High |
| There are some web interfaces without authentication requirements on D-Link DIR-412 A1-1.14WW routers. An attacker can get the router's log file via log_get.php, which could be used to discover the intranet network structure. | ||||
| CVE-2019-17510 | 1 Dlink | 2 Dir-846, Dir-846 Firmware | 2024-11-21 | 9.8 Critical |
| D-Link DIR-846 devices with firmware 100A35 allow remote attackers to execute arbitrary OS commands as root by leveraging admin access and sending a /HNAP1/ request for SetWizardConfig with shell metacharacters to /squashfs-root/www/HNAP1/control/SetWizardConfig.php. | ||||
| CVE-2019-17509 | 1 Dlink | 2 Dir-846, Dir-846 Firmware | 2024-11-21 | 9.8 Critical |
| D-Link DIR-846 devices with firmware 100A35 allow remote attackers to execute arbitrary OS commands as root by leveraging admin access and sending a /HNAP1/ request for SetMasterWLanSettings with shell metacharacters to /squashfs-root/www/HNAP1/control/SetMasterWLanSettings.php. | ||||
| CVE-2019-17508 | 1 Dlink | 4 Dir-850l A, Dir-850l A Firmware, Dir-859 A3 and 1 more | 2024-11-21 | 9.8 Critical |
| On D-Link DIR-859 A3-1.06 and DIR-850 A1.13 devices, /etc/services/DEVICE.TIME.php allows command injection via the $SERVER variable. | ||||
| CVE-2019-17507 | 1 Dlink | 2 Dir-816 A1, Dir-816 A1 Firmware | 2024-11-21 | 7.5 High |
| An issue was discovered on D-Link DIR-816 A1 1.06 devices. An attacker could access management pages of the router via a client that ignores the 'top.location.href = "/dir_login.asp"' line in a .asp file. This provides access to d_status.asp, version.asp, d_dhcptbl.asp, and d_acl.asp. | ||||
| CVE-2019-17506 | 1 Dlink | 4 Dir-817lw A1, Dir-817lw A1 Firmware, Dir-868l B1 and 1 more | 2024-11-21 | 9.8 Critical |
| There are some web interfaces without authentication requirements on D-Link DIR-868L B1-2.03 and DIR-817LW A1-1.04 routers. An attacker can get the router's username and password (and other information) via a DEVICE.ACCOUNT value for SERVICES in conjunction with AUTHORIZED_GROUP=1%0a to getcfg.php. This could be used to control the router remotely. | ||||
| CVE-2019-17505 | 1 Dlink | 2 Dap-1320 A2, Dap-1320 A2 Firmware | 2024-11-21 | 7.5 High |
| D-Link DAP-1320 A2-V1.21 routers have some web interfaces without authentication requirements, as demonstrated by uplink_info.xml. An attacker can remotely obtain a user's Wi-Fi SSID and password, which could be used to connect to Wi-Fi or perform a dictionary attack. | ||||
| CVE-2019-17353 | 1 Dlink | 2 Dir-615, Dir-615 Firmware | 2024-11-21 | 8.2 High |
| An issue discovered on D-Link DIR-615 devices with firmware version 20.05 and 20.07. wan.htm can be accessed directly without authentication, which can lead to disclosure of information about the WAN, and can also be leveraged by an attacker to modify the data fields of the page. | ||||
| CVE-2019-17146 | 1 Dlink | 4 Dcs-935l, Dcs-935l Firmware, Dcs-960l and 1 more | 2024-11-21 | 9.8 Critical |
| This vulnerability allows remote attackers to execute arbitrary code on affected installations of D-Link DCS-960L v1.07.102. Authentication is not required to exploit this vulnerability. The specific flaw exists within the HNAP service, which listens on TCP port 80 by default. When parsing the SOAPAction request header, the process does not properly validate the length of user-supplied data prior to copying it to a stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the admin user. Was ZDI-CAN-8458. | ||||
| CVE-2019-16327 | 1 Dlink | 2 Dir-601, Dir-601 Firmware | 2024-11-21 | 9.8 Critical |
| D-Link DIR-601 B1 2.00NA devices are vulnerable to authentication bypass. They do not check for authentication at the server side and rely on client-side validation, which is bypassable. NOTE: this is an end-of-life product. | ||||
| CVE-2019-16326 | 1 Dlink | 2 Dir-601, Dir-601 Firmware | 2024-11-21 | 8.8 High |
| D-Link DIR-601 B1 2.00NA devices have CSRF because no anti-CSRF token is implemented. A remote attacker could exploit this in conjunction with CVE-2019-16327 to enable remote router management and device compromise. NOTE: this is an end-of-life product. | ||||
| CVE-2019-16190 | 1 Dlink | 6 Dir-868l, Dir-868l Firmware, Dir-885l and 3 more | 2024-11-21 | 9.8 Critical |
| SharePort Web Access on D-Link DIR-868L REVB through 2.03, DIR-885L REVA through 1.20, and DIR-895L REVA through 1.21 devices allows Authentication Bypass, as demonstrated by a direct request to folder_view.php or category_view.php. | ||||
| CVE-2019-15656 | 1 Dlink | 4 Dsl-2875al, Dsl-2875al Firmware, Dsl-2877al and 1 more | 2024-11-21 | 7.5 High |
| D-Link DSL-2875AL and DSL-2877AL devices through 1.00.05 are prone to information disclosure via a simple crafted request to index.asp on the web management server because of username_v and password_v variables. | ||||