CVE-2014-7860 - OpenCVE

The web/web_file/fb_publish.php script in D-Link DNS-320L before 1.04b12 and DNS-327L before 1.03b04 Build0119 does not authenticate requests, which allows remote attackers to obtain arbitrary photos and publish them to an arbitrary Facebook profile via a target album_id and access_token.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
D-link	Dns-320l Firmware Dns-327l Firmware
Dlink	Dns-320l Dns-327l

Configuration 1 [-]

AND

cpe:2.3:o:d-link:dns-327l_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:dlink:dns-327l:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:d-link:dns-320l_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:dlink:dns-320l:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://packetstormsecurity.com/files/132075/D-Link-Bypass-Buffer-Overflow.html
http://seclists.org/fulldisclosure/2015/May/125
http://www.search-lab.hu/media/D-Link_Security_advisory_3_0_public.pdf
http://www.securityfocus.com/archive/1/535626/100/200/threaded
http://www.securityfocus.com/bid/74884

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2017-08-25T18:00:00

Updated: 2024-08-06T13:03:27.361Z

Reserved: 2014-10-03T00:00:00

Link: CVE-2014-7860

Vulnrichment

No data.

NVD

Status : Modified

Published: 2017-08-25T18:29:00.373

Modified: 2023-04-26T18:55:30.893

Link: CVE-2014-7860

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2015-05-28T00:00:00", "descriptions": [{"lang": "en", "value": "The web/web_file/fb_publish.php script in D-Link DNS-320L before 1.04b12 and DNS-327L before 1.03b04 Build0119 does not authenticate requests, which allows remote attackers to obtain arbitrary photos and publish them to an arbitrary Facebook profile via a target album_id and access_token."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-10-09T18:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.com/files/132075/D-Link-Bypass-Buffer-Overflow.html"}, {"name": "74884", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/74884"}, {"name": "20150528 [SEARCH-LAB advisory] More than fifty vulnerabilities in D-Link NAS and NVR devices", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://www.securityfocus.com/archive/1/535626/100/200/threaded"}, {"name": "20150531 [SEARCH-LAB advisory] More than fifty vulnerabilities in D-Link NAS and NVR devices", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "http://seclists.org/fulldisclosure/2015/May/125"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.search-lab.hu/media/D-Link_Security_advisory_3_0_public.pdf"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2014-7860", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The web/web_file/fb_publish.php script in D-Link DNS-320L before 1.04b12 and DNS-327L before 1.03b04 Build0119 does not authenticate requests, which allows remote attackers to obtain arbitrary photos and publish them to an arbitrary Facebook profile via a target album_id and access_token."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://packetstormsecurity.com/files/132075/D-Link-Bypass-Buffer-Overflow.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/132075/D-Link-Bypass-Buffer-Overflow.html"}, {"name": "74884", "refsource": "BID", "url": "http://www.securityfocus.com/bid/74884"}, {"name": "20150528 [SEARCH-LAB advisory] More than fifty vulnerabilities in D-Link NAS and NVR devices", "refsource": "BUGTRAQ", "url": "http://www.securityfocus.com/archive/1/535626/100/200/threaded"}, {"name": "20150531 [SEARCH-LAB advisory] More than fifty vulnerabilities in D-Link NAS and NVR devices", "refsource": "FULLDISC", "url": "http://seclists.org/fulldisclosure/2015/May/125"}, {"name": "http://www.search-lab.hu/media/D-Link_Security_advisory_3_0_public.pdf", "refsource": "CONFIRM", "url": "http://www.search-lab.hu/media/D-Link_Security_advisory_3_0_public.pdf"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T13:03:27.361Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://packetstormsecurity.com/files/132075/D-Link-Bypass-Buffer-Overflow.html"}, {"name": "74884", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/74884"}, {"name": "20150528 [SEARCH-LAB advisory] More than fifty vulnerabilities in D-Link NAS and NVR devices", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "http://www.securityfocus.com/archive/1/535626/100/200/threaded"}, {"name": "20150531 [SEARCH-LAB advisory] More than fifty vulnerabilities in D-Link NAS and NVR devices", "tags": ["mailing-list", "x_refsource_FULLDISC", "x_transferred"], "url": "http://seclists.org/fulldisclosure/2015/May/125"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.search-lab.hu/media/D-Link_Security_advisory_3_0_public.pdf"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2014-7860", "datePublished": "2017-08-25T18:00:00", "dateReserved": "2014-10-03T00:00:00", "dateUpdated": "2024-08-06T13:03:27.361Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:d-link:dns-327l_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "ABE0BD7C-20B3-42BF-8DFA-4866B797C320", "versionEndIncluding": "1.02", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:dlink:dns-327l:-:*:*:*:*:*:*:*", "matchCriteriaId": "DB305B29-7F89-4A52-9ECF-3DB0BDD2350D", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:d-link:dns-320l_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "67E4E8C9-D8DF-46DF-A6B8-9E0DAA8ED78C", "versionEndIncluding": "1.03b04", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:dlink:dns-320l:-:*:*:*:*:*:*:*", "matchCriteriaId": "6C677E53-6885-4EC4-A7CC-E24E8F445F59", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The web/web_file/fb_publish.php script in D-Link DNS-320L before 1.04b12 and DNS-327L before 1.03b04 Build0119 does not authenticate requests, which allows remote attackers to obtain arbitrary photos and publish them to an arbitrary Facebook profile via a target album_id and access_token."}, {"lang": "es", "value": "El script web/web_file/fb_publish.php en D-Link DNS-320L en versiones anteriores a la 1.04b12 y DNS-327L en versiones anteriores a la 1.03b04 Build0119 no autentica peticiones. Esto permite que atacantes remotos obtengan fotograf\u00edas arbitrarias y las publiquen en un perfil de Facebook arbitrario mediante un album_id y access_token de destino."}], "id": "CVE-2014-7860", "lastModified": "2023-04-26T18:55:30.893", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-08-25T18:29:00.373", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/132075/D-Link-Bypass-Buffer-Overflow.html"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory", "VDB Entry"], "url": "http://seclists.org/fulldisclosure/2015/May/125"}, {"source": "cve@mitre.org", "tags": ["Technical Description"], "url": "http://www.search-lab.hu/media/D-Link_Security_advisory_3_0_public.pdf"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/archive/1/535626/100/200/threaded"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/74884"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-287"}], "source": "nvd@nist.gov", "type": "Primary"}]}