Vulnerabilities (CVE)

Filtered by vendor Dlink Subscribe
Total 960 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2019-8312 1 Dlink 2 Dir-878, Dir-878 Firmware 2024-11-21 9.0 HIGH 8.8 HIGH
An issue was discovered on D-Link DIR-878 devices with firmware 1.12A1. This issue is a Command Injection allowing a remote attacker to execute arbitrary code, and get a root shell. A command Injection vulnerability allows attackers to execute arbitrary OS commands via a crafted /HNAP1 POST request. This occurs when any HNAP API function triggers a call to the twsystem function with untrusted input from the request body for the SetSysLogSettings API function, as demonstrated by shell metacharacters in the IPAddress field.
CVE-2019-7736 1 Dlink 2 Dir-600m, Dir-600m Firmware 2024-11-21 7.5 HIGH 9.8 CRITICAL
D-Link DIR-600M C1 3.04 devices allow authentication bypass via a direct request to the wan.htm page. NOTE: this may overlap CVE-2019-13101.
CVE-2019-7642 1 Dlink 10 Dir-816, Dir-816 Firmware, Dir-816l and 7 more 2024-11-21 5.0 MEDIUM 7.5 HIGH
D-Link routers with the mydlink feature have some web interfaces without authentication requirements. An attacker can remotely obtain users' DNS query logs and login logs. Vulnerable targets include but are not limited to the latest firmware versions of DIR-817LW (A1-1.04), DIR-816L (B1-2.06), DIR-816 (B1-2.06?), DIR-850L (A1-1.09), and DIR-868L (A1-1.10).
CVE-2019-7390 1 Dlink 2 Dir-823g, Dir-823g Firmware 2024-11-21 5.0 MEDIUM 8.6 HIGH
An issue was discovered in /bin/goahead on D-Link DIR-823G devices with firmware 1.02B03. There is incorrect access control allowing remote attackers to hijack the DNS service configuration of all clients in the WLAN, without authentication, via the SetWanSettings HNAP API.
CVE-2019-7389 1 Dlink 2 Dir-823g, Dir-823g Firmware 2024-11-21 7.8 HIGH 7.5 HIGH
An issue was discovered in /bin/goahead on D-Link DIR-823G devices with the firmware 1.02B03. There is incorrect access control allowing remote attackers to reset the router without authentication via the SetFactoryDefault HNAP API. Consequently, an attacker can achieve a denial-of-service attack without authentication.
CVE-2019-7388 1 Dlink 2 Dir-823g, Dir-823g Firmware 2024-11-21 5.0 MEDIUM 7.5 HIGH
An issue was discovered in /bin/goahead on D-Link DIR-823G devices with firmware 1.02B03. There is incorrect access control allowing remote attackers to get sensitive information (such as MAC address) about all clients in the WLAN via the GetClientInfo HNAP API. Consequently, an attacker can achieve information disclosure without authentication.
CVE-2019-7298 1 Dlink 2 Dir-823g, Dir-823g Firmware 2024-11-21 9.3 HIGH 8.1 HIGH
An issue was discovered on D-Link DIR-823G devices with firmware through 1.02B03. A command Injection vulnerability allows attackers to execute arbitrary OS commands via a crafted /HNAP1 request. This occurs when any HNAP API function triggers a call to the system function with untrusted input from the request body, such as a body of ' /bin/telnetd' for the GetDeviceSettingsset API function. Consequently, an attacker can execute any command remotely when they control this input.
CVE-2019-7297 2 D-link, Dlink 2 Dir-823g Firmware, Dir-823g 2024-11-21 10.0 HIGH 9.8 CRITICAL
An issue was discovered on D-Link DIR-823G devices with firmware through 1.02B03. A command Injection vulnerability allows attackers to execute arbitrary OS commands via shell metacharacters in a crafted /HNAP1 request. This occurs when the GetNetworkTomographyResult function calls the system function with an untrusted input parameter named Address. Consequently, an attacker can execute any command remotely when they control this input.
CVE-2019-6969 1 Dlink 2 Dva-5592, Dva-5592 Firmware 2024-11-21 5.0 MEDIUM 7.5 HIGH
The web interface of the D-Link DVA-5592 20180823 is vulnerable to an authentication bypass that allows an unauthenticated user to have access to sensitive information such as the Wi-Fi password and the phone number (if VoIP is in use).
CVE-2019-6968 1 Dlink 2 Dva-5592, Dva-5592 Firmware 2024-11-21 4.3 MEDIUM 6.1 MEDIUM
The web interface of the D-Link DVA-5592 20180823 is vulnerable to XSS because HTML form parameters are directly reflected.
CVE-2019-6258 2 D-link, Dlink 2 Dir-822 Firmware, Dir-822 2024-11-21 7.5 HIGH 9.8 CRITICAL
D-Link DIR-822 Rev.Bx devices with firmware v.202KRb06 and older allow a buffer overflow via long MacAddress data in a /HNAP1/SetClientInfo HNAP protocol message, which is mishandled in /usr/sbin/udhcpd during reading of the /var/servd/LAN-1-udhcpd.conf file.
CVE-2019-6014 1 Dlink 2 Dba-1510p, Dba-1510p Firmware 2024-11-21 8.3 HIGH 8.8 HIGH
DBA-1510P firmware 1.70b009 and earlier allows an attacker to execute arbitrary OS commands via Web User Interface.
CVE-2019-6013 1 Dlink 2 Dba-1510p, Dba-1510p Firmware 2024-11-21 6.8 MEDIUM 6.6 MEDIUM
DBA-1510P firmware 1.70b009 and earlier allows authenticated attackers to execute arbitrary OS commands via Command Line Interface (CLI).
CVE-2019-20501 1 Dlink 2 Dwl-2600ap, Dwl-2600ap Firmware 2024-11-21 7.2 HIGH 7.8 HIGH
D-Link DWL-2600AP 4.2.0.15 Rev A devices have an authenticated OS command injection vulnerability via the Upgrade Firmware functionality in the Web interface, using shell metacharacters in the admin.cgi?action=upgrade firmwareRestore or firmwareServerip parameter.
CVE-2019-20500 1 Dlink 2 Dwl-2600ap, Dwl-2600ap Firmware 2024-11-21 7.2 HIGH 7.8 HIGH
D-Link DWL-2600AP 4.2.0.15 Rev A devices have an authenticated OS command injection vulnerability via the Save Configuration functionality in the Web interface, using shell metacharacters in the admin.cgi?action=config_save configBackup or downloadServerip parameter.
CVE-2019-20499 1 Dlink 2 Dwl-2600ap, Dwl-2600ap Firmware 2024-11-21 7.2 HIGH 7.8 HIGH
D-Link DWL-2600AP 4.2.0.15 Rev A devices have an authenticated OS command injection vulnerability via the Restore Configuration functionality in the Web interface, using shell metacharacters in the admin.cgi?action=config_restore configRestore or configServerip parameter.
CVE-2019-20217 1 Dlink 2 Dir-859, Dir-859 Firmware 2024-11-21 10.0 HIGH 9.8 CRITICAL
D-Link DIR-859 1.05 and 1.06B01 Beta01 devices allow remote attackers to execute arbitrary OS commands via the urn: to the M-SEARCH method in ssdpcgi() in /htdocs/cgibin, because SERVER_ID is mishandled. The value of the urn: service/device is checked with the strstr function, which allows an attacker to concatenate arbitrary commands separated by shell metacharacters.
CVE-2019-20216 1 Dlink 2 Dir-859, Dir-859 Firmware 2024-11-21 10.0 HIGH 9.8 CRITICAL
D-Link DIR-859 1.05 and 1.06B01 Beta01 devices allow remote attackers to execute arbitrary OS commands via the urn: to the M-SEARCH method in ssdpcgi() in /htdocs/cgibin, because REMOTE_PORT is mishandled. The value of the urn: service/device is checked with the strstr function, which allows an attacker to concatenate arbitrary commands separated by shell metacharacters.
CVE-2019-20215 1 Dlink 2 Dir-859, Dir-859 Firmware 2024-11-21 10.0 HIGH 9.8 CRITICAL
D-Link DIR-859 1.05 and 1.06B01 Beta01 devices allow remote attackers to execute arbitrary OS commands via a urn: to the M-SEARCH method in ssdpcgi() in /htdocs/cgibin, because HTTP_ST is mishandled. The value of the urn: service/device is checked with the strstr function, which allows an attacker to concatenate arbitrary commands separated by shell metacharacters.
CVE-2019-20213 1 Dlink 28 Dir-818lx, Dir-818lx Firmware, Dir-822 and 25 more 2024-11-21 5.0 MEDIUM 7.5 HIGH
D-Link DIR-859 routers before v1.07b03_beta allow Unauthenticated Information Disclosure via the AUTHORIZED_GROUP=1%0a value, as demonstrated by vpnconfig.php.