CVE-2017-3191
9.8
Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploitability: 3.9 / Impact: 5.9
Source: NVD
Description
D-Link DIR-130 firmware version 1.23 and DIR-330 firmware version 1.12 are vulnerable to authentication bypass of the remote login page. A remote attacker that can access the remote management login page can manipulate the POST request in such a manner as to access some administrator-only pages such as tools_admin.asp without credentials.
Affected (2)
Products: D Link: Dir 130 Firmware, Dir 330 Firmware
Configuration A
| Vulnerable Software | Affected Versions |
|---|---|
| Version 1.23 |
| Running on/with | Platform Versions |
|---|---|
Dlink Dir 130 | All versions |
Configuration B
| Vulnerable Software | Affected Versions |
|---|---|
| Version 1.12 |
| Running on/with | Platform Versions |
|---|---|
Dlink Dir 330 | All versions |
Related CWEs
CWE-20
Improper Input Validation
The product receives input or data, but it does
not validate or incorrectly validates that the input has the
properties that are required to process the data safely and
correctly.
CWE-294
Authentication Bypass by Capture-replay
A capture-replay flaw exists when the design of the product makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes).
References (8)
Source: cret@cert.org
Issue TrackingThird Party AdvisoryUS Government Resource
Source: cret@cert.org
Press/Media Coverage
Source: cret@cert.org
Issue TrackingThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
VDB Entry
Source: af854a3a-2127-422b-91ae-364da2661108
Issue TrackingThird Party AdvisoryUS Government Resource
Source: af854a3a-2127-422b-91ae-364da2661108
Press/Media Coverage
Source: af854a3a-2127-422b-91ae-364da2661108
Issue TrackingThird Party Advisory
Timeline
No history available yet.