Vulnerabilities > D Link
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2018-10-03 | CVE-2018-17880 | Missing Authentication for Critical Function vulnerability in D-Link Dir-823G Firmware On D-Link DIR-823G 2018-09-19 devices, the GoAhead configuration allows /HNAP1 RunReboot commands without authentication to trigger a reboot. | 7.5 |
| 2018-10-02 | CVE-2018-17787 | OS Command Injection vulnerability in D-Link Dir-823G Firmware On D-Link DIR-823G devices, the GoAhead configuration allows /HNAP1 Command Injection via shell metacharacters in the POST data, because this data is sent directly to the "system" library function. | 9.8 |
| 2018-10-02 | CVE-2018-17786 | Improper Authentication vulnerability in D-Link Dir-823G Firmware On D-Link DIR-823G devices, ExportSettings.sh, upload_settings.cgi, GetDownLoadSyslog.sh, and upload_firmware.cgi do not require authentication, which allows remote attackers to execute arbitrary code. | 9.8 |
| 2018-09-03 | CVE-2018-16408 | OS Command Injection vulnerability in D-Link Dir-846 Firmware 100.26 D-Link DIR-846 devices with firmware 100.26 allow remote attackers to execute arbitrary code as root via a SetNetworkTomographySettings request by leveraging admin access. | 7.2 |
| 2018-07-05 | CVE-2018-12103 | Incorrect Authorization vulnerability in multiple products An issue was discovered on D-Link DIR-890L with firmware 1.21B02beta01 and earlier, DIR-885L/R with firmware 1.21B03beta01 and earlier, and DIR-895L/R with firmware 1.21B04beta04 and earlier devices (all hardware revisions). | 6.5 |
| 2018-06-20 | CVE-2018-6213 | Use of Hard-coded Credentials vulnerability in D-Link Dir-620 Firmware In the web server on D-Link DIR-620 devices with a certain customized (by ISP) variant of firmware 1.0.3, 1.0.37, 1.3.1, 1.3.3, 1.3.7, 1.4.0, and 2.0.22, there is a hardcoded password of anonymous for the admin account. | 9.8 |
| 2018-06-20 | CVE-2018-6212 | Cross-site Scripting vulnerability in D-Link Dir-620 Firmware On D-Link DIR-620 devices with a certain customized (by ISP) variant of firmware 1.0.3, 1.0.37, 1.3.1, 1.3.3, 1.3.7, 1.4.0, and 2.0.22, a reflected Cross-Site Scripting (XSS) attack is possible as a result of missed filtration for special characters in the "Search" field and incorrect processing of the XMLHttpRequest object. | 6.1 |
| 2018-06-20 | CVE-2018-6211 | OS Command Injection vulnerability in D-Link Dir-620 Firmware On D-Link DIR-620 devices with a certain customized (by ISP) variant of firmware 1.0.3, 1.0.37, 1.3.1, 1.3.3, 1.3.7, 1.4.0, and 2.0.22, OS command injection is possible as a result of incorrect processing of the res_buf parameter to index.cgi. | 7.2 |
| 2018-05-18 | CVE-2018-10968 | Insecure Default Initialization of Resource vulnerability in D-Link Dir-550A Firmware and Dir-604M Firmware On D-Link DIR-550A and DIR-604M devices through v2.10KR, a malicious user can use a default TELNET account to get unauthorized access to vulnerable devices, aka a backdoor access vulnerability. | 9.8 |
| 2018-05-18 | CVE-2018-10967 | OS Command Injection vulnerability in D-Link Dir-550A Firmware and Dir-604M Firmware On D-Link DIR-550A and DIR-604M devices through v2.10KR, a malicious user can forge an HTTP request to inject operating system commands that can be executed on the device with higher privileges, aka remote code execution. | 8.8 |