CVE-2016-10699 - OpenCVE

D-Link DSL-2740E 1.00_BG_20150720 devices are prone to persistent XSS attacks in the username and password fields: a remote unauthenticated user may craft logins and passwords with script tags in them. Because there is no sanitization in the input fields, an unaware logged-in administrator may be a victim when checking the router logs.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Dlink	Dsl-2740e Dsl-2740e Firmware

Configuration 1 [-]

AND

cpe:2.3:o:dlink:dsl-2740e_firmware:1.00_bg_20150720:*:*:*:*:*:*:*

cpe:2.3:h:dlink:dsl-2740e:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://www.securityfocus.com/bid/101622
https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2016-018/?fid=8411

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2017-10-31T07:00:00

Updated: 2024-08-06T03:30:20.128Z

Reserved: 2017-10-31T00:00:00

Link: CVE-2016-10699

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2017-10-31T07:29:00.237

Modified: 2023-04-26T19:27:52.350

Link: CVE-2016-10699

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2017-10-31T00:00:00", "descriptions": [{"lang": "en", "value": "D-Link DSL-2740E 1.00_BG_20150720 devices are prone to persistent XSS attacks in the username and password fields: a remote unauthenticated user may craft logins and passwords with script tags in them. Because there is no sanitization in the input fields, an unaware logged-in administrator may be a victim when checking the router logs."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-11-01T09:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "101622", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/101622"}, {"tags": ["x_refsource_MISC"], "url": "https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2016-018/?fid=8411"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2016-10699", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "D-Link DSL-2740E 1.00_BG_20150720 devices are prone to persistent XSS attacks in the username and password fields: a remote unauthenticated user may craft logins and passwords with script tags in them. Because there is no sanitization in the input fields, an unaware logged-in administrator may be a victim when checking the router logs."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "101622", "refsource": "BID", "url": "http://www.securityfocus.com/bid/101622"}, {"name": "https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2016-018/?fid=8411", "refsource": "MISC", "url": "https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2016-018/?fid=8411"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T03:30:20.128Z"}, "title": "CVE Program Container", "references": [{"name": "101622", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/101622"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2016-018/?fid=8411"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2016-10699", "datePublished": "2017-10-31T07:00:00", "dateReserved": "2017-10-31T00:00:00", "dateUpdated": "2024-08-06T03:30:20.128Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:dlink:dsl-2740e_firmware:1.00_bg_20150720:*:*:*:*:*:*:*", "matchCriteriaId": "334BFE91-EFFC-41A7-A438-EC7147BCA2B0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:dlink:dsl-2740e:-:*:*:*:*:*:*:*", "matchCriteriaId": "F1554871-4273-4578-BF21-DDF856B94884", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "D-Link DSL-2740E 1.00_BG_20150720 devices are prone to persistent XSS attacks in the username and password fields: a remote unauthenticated user may craft logins and passwords with script tags in them. Because there is no sanitization in the input fields, an unaware logged-in administrator may be a victim when checking the router logs."}, {"lang": "es", "value": "Los dispositivos DSL-2740E 1.00_BG_20150720 de D-Link son propensos a ataques XSS en los campos username y password: un usuario remoto no autenticado puede modificar nombres de usuarios y contrase\u00f1as con etiquetas script en ellos. Debido a que no hay sanitizaci\u00f3n en los campos de entrada, un administrador que inicie sesi\u00f3n y no sea consciente de esto puede convertirse en una v\u00edctima cuando se verifican los registros del router."}], "id": "CVE-2016-10699", "lastModified": "2023-04-26T19:27:52.350", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-10-31T07:29:00.237", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/101622"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2016-018/?fid=8411"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}