Filtered by vendor Dlink
Subscriptions
Total
942 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2018-6529 | 1 Dlink | 6 Dir-860l, Dir-860l Firmware, Dir-865l and 3 more | 2024-08-05 | 6.1 Medium |
XSS vulnerability in htdocs/webinc/js/bsc_sms_inbox.php in D-Link DIR-868L DIR868LA1_FW112b04 and previous versions, DIR-865L DIR-865L_REVA_FIRMWARE_PATCH_1.08.B01 and previous versions, and DIR-860L DIR860LA1_FW110b04 and previous versions allows remote attackers to read a cookie via a crafted Treturn parameter to soap.cgi. | ||||
CVE-2018-6527 | 1 Dlink | 6 Dir-860l, Dir-860l Firmware, Dir-865l and 3 more | 2024-08-05 | 6.1 Medium |
XSS vulnerability in htdocs/webinc/js/adv_parent_ctrl_map.php in D-Link DIR-868L DIR868LA1_FW112b04 and previous versions, DIR-865L DIR-865L_REVA_FIRMWARE_PATCH_1.08.B01 and previous versions, and DIR-860L DIR860LA1_FW110b04 and previous versions allows remote attackers to read a cookie via a crafted deviceid parameter to soap.cgi. | ||||
CVE-2018-6210 | 1 Dlink | 2 Dir-620, Dir-620 Firmware | 2024-08-05 | 9.8 Critical |
D-Link DIR-620 devices, with a certain Rostelekom variant of firmware 1.0.37, have a hardcoded rostel account, which makes it easier for remote attackers to obtain access via a TELNET session. | ||||
CVE-2018-6212 | 2 D-link, Dlink | 2 Dir-620 Firmware, Dir-620 | 2024-08-05 | N/A |
On D-Link DIR-620 devices with a certain customized (by ISP) variant of firmware 1.0.3, 1.0.37, 1.3.1, 1.3.3, 1.3.7, 1.4.0, and 2.0.22, a reflected Cross-Site Scripting (XSS) attack is possible as a result of missed filtration for special characters in the "Search" field and incorrect processing of the XMLHttpRequest object. | ||||
CVE-2018-6213 | 2 D-link, Dlink | 2 Dir-620 Firmware, Dir-620 | 2024-08-05 | N/A |
In the web server on D-Link DIR-620 devices with a certain customized (by ISP) variant of firmware 1.0.3, 1.0.37, 1.3.1, 1.3.3, 1.3.7, 1.4.0, and 2.0.22, there is a hardcoded password of anonymous for the admin account. | ||||
CVE-2018-6211 | 2 D-link, Dlink | 2 Dir-620 Firmware, Dir-620 | 2024-08-05 | N/A |
On D-Link DIR-620 devices with a certain customized (by ISP) variant of firmware 1.0.3, 1.0.37, 1.3.1, 1.3.3, 1.3.7, 1.4.0, and 2.0.22, OS command injection is possible as a result of incorrect processing of the res_buf parameter to index.cgi. | ||||
CVE-2018-5708 | 1 Dlink | 2 Dir-601, Dir-601 Firmware | 2024-08-05 | N/A |
An issue was discovered on D-Link DIR-601 B1 2.02NA devices. Being on the same local network as, but being unauthenticated to, the administrator's panel, a user can obtain the admin username and cleartext password in the response (specifically, the configuration file restore_default), which is displayed in XML. | ||||
CVE-2018-5371 | 2 D-link, Dlink | 4 Dsl-2540u Firmware, Dsl-2640u Firmware, Dsl-2540u and 1 more | 2024-08-05 | N/A |
diag_ping.cmd on D-Link DSL-2640U devices with firmware IM_1.00 and ME_1.00, and DSL-2540U devices with firmware ME_1.00, allows authenticated remote attackers to execute arbitrary OS commands via shell metacharacters in the ipaddr field of an HTTP GET request. | ||||
CVE-2019-1010155 | 1 Dlink | 2 Dsl-2750u, Dsl-2750u Firmware | 2024-08-05 | 9.1 Critical |
D-Link DSL-2750U 1.11 is affected by: Authentication Bypass. The impact is: denial of service and information leakage. The component is: login. NOTE: Third parties dispute this issues as not being a vulnerability because although the wizard is accessible without authentication, it can't actually configure anything. Thus, there is no denial of service or information leakage | ||||
CVE-2019-20501 | 1 Dlink | 2 Dwl-2600ap, Dwl-2600ap Firmware | 2024-08-05 | 7.8 High |
D-Link DWL-2600AP 4.2.0.15 Rev A devices have an authenticated OS command injection vulnerability via the Upgrade Firmware functionality in the Web interface, using shell metacharacters in the admin.cgi?action=upgrade firmwareRestore or firmwareServerip parameter. | ||||
CVE-2019-20500 | 1 Dlink | 2 Dwl-2600ap, Dwl-2600ap Firmware | 2024-08-05 | 7.8 High |
D-Link DWL-2600AP 4.2.0.15 Rev A devices have an authenticated OS command injection vulnerability via the Save Configuration functionality in the Web interface, using shell metacharacters in the admin.cgi?action=config_save configBackup or downloadServerip parameter. | ||||
CVE-2019-20499 | 1 Dlink | 2 Dwl-2600ap, Dwl-2600ap Firmware | 2024-08-05 | 7.8 High |
D-Link DWL-2600AP 4.2.0.15 Rev A devices have an authenticated OS command injection vulnerability via the Restore Configuration functionality in the Web interface, using shell metacharacters in the admin.cgi?action=config_restore configRestore or configServerip parameter. | ||||
CVE-2019-20216 | 1 Dlink | 2 Dir-859, Dir-859 Firmware | 2024-08-05 | 9.8 Critical |
D-Link DIR-859 1.05 and 1.06B01 Beta01 devices allow remote attackers to execute arbitrary OS commands via the urn: to the M-SEARCH method in ssdpcgi() in /htdocs/cgibin, because REMOTE_PORT is mishandled. The value of the urn: service/device is checked with the strstr function, which allows an attacker to concatenate arbitrary commands separated by shell metacharacters. | ||||
CVE-2019-20215 | 1 Dlink | 2 Dir-859, Dir-859 Firmware | 2024-08-05 | 9.8 Critical |
D-Link DIR-859 1.05 and 1.06B01 Beta01 devices allow remote attackers to execute arbitrary OS commands via a urn: to the M-SEARCH method in ssdpcgi() in /htdocs/cgibin, because HTTP_ST is mishandled. The value of the urn: service/device is checked with the strstr function, which allows an attacker to concatenate arbitrary commands separated by shell metacharacters. | ||||
CVE-2019-20213 | 1 Dlink | 28 Dir-818lx, Dir-818lx Firmware, Dir-822 and 25 more | 2024-08-05 | 7.5 High |
D-Link DIR-859 routers before v1.07b03_beta allow Unauthenticated Information Disclosure via the AUTHORIZED_GROUP=1%0a value, as demonstrated by vpnconfig.php. | ||||
CVE-2019-20217 | 1 Dlink | 2 Dir-859, Dir-859 Firmware | 2024-08-05 | 9.8 Critical |
D-Link DIR-859 1.05 and 1.06B01 Beta01 devices allow remote attackers to execute arbitrary OS commands via the urn: to the M-SEARCH method in ssdpcgi() in /htdocs/cgibin, because SERVER_ID is mishandled. The value of the urn: service/device is checked with the strstr function, which allows an attacker to concatenate arbitrary commands separated by shell metacharacters. | ||||
CVE-2019-19743 | 1 Dlink | 2 Dir-615 T1, Dir-615 T1 Firmware | 2024-08-05 | 6.5 Medium |
On D-Link DIR-615 devices, a normal user is able to create a root(admin) user from the D-Link portal. | ||||
CVE-2019-19742 | 1 Dlink | 2 Dir-615, Dir-615 Firmware | 2024-08-05 | 4.8 Medium |
On D-Link DIR-615 devices, the User Account Configuration page is vulnerable to blind XSS via the name field. | ||||
CVE-2019-19597 | 1 Dlink | 2 Dap-1860, Dap-1860 Firmware | 2024-08-05 | 8.8 High |
D-Link DAP-1860 devices before v1.04b03 Beta allow arbitrary remote code execution as root without authentication via shell metacharacters within an HNAP_AUTH HTTP header. | ||||
CVE-2019-19598 | 1 Dlink | 2 Dap-1860, Dap-1860 Firmware | 2024-08-05 | 8.8 High |
D-Link DAP-1860 devices before v1.04b03 Beta allow access to administrator functions without authentication via the HNAP_AUTH header timestamp value. In HTTP requests, part of the HNAP_AUTH header is the timestamp used to determine the time when the user sent the request. If this value is equal to the value stored in the device's /var/hnap/timestamp file, the request will pass the HNAP_AUTH check function. |