CVE-2017-7852

Published: Apr 24, 2017Modified: May 13, 2026

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

D-Link DCS cameras have a weak/insecure CrossDomain.XML file that allows sites hosting malicious Flash objects to access and/or change the device's settings via a CSRF attack. This is because of the 'allow-access-from domain' child element set to *, thus accepting requests from any domain. If a victim logged into the camera's web console visits a malicious site hosting a malicious Flash file from another Browser tab, the malicious Flash file then can send requests to the victim's DCS series Camera without knowing the credentials. An attacker can host a malicious Flash file that can retrieve Live Feeds or information from the victim's DCS series Camera, add new admin users, or make other changes to the device. Known affected devices are DCS-933L with firmware before 1.13.05, DCS-5030L, DCS-5020L, DCS-2530L, DCS-2630L, DCS-930L, DCS-932L, and DCS-932LB1.

Affected (31)

Products: Dlink: Dcs 2230l Firmware, Dcs 2310l Firmware, Dcs 2332l Firmware, Dcs 6010l Firmware, Dcs 7010l Firmware, Dcs 2530l Firmware, Dcs 930l Firmware, Dcs 932l Firmware, Dcs 934l Firmware, Dcs 942l Firmware, Dcs 931l Firmware, Dcs 933l Firmware, Dcs 5009l Firmware, Dcs 5010l Firmware, Dcs 5020l Firmware, Dcs 5000l Firmware, Dcs 5025l Firmware, Dcs 5030l Firmware, Dcs 2210l Firmware, Dcs 2136l Firmware, Dcs 2132l Firmware, Dcs 7000l Firmware, Dcs 6212l Firmware, Dcs 5029l Firmware, Dcs 2330l Firmware, Dcs 5222l Firmware

26 products

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Dlink Dcs 2230l Firmware	Up to 1.03.01

Running on/with	Platform Versions
Dlink Dcs 2230l	All versions

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Dlink Dcs 2310l Firmware	Up to 1.08.01

Configuration C

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Dlink Dcs 2332l Firmware	Up to 1.08.01

Running on/with	Platform Versions
Dlink Dcs 2332l	All versions

Configuration D

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Dlink Dcs 6010l Firmware	Up to 1.15.01

Running on/with	Platform Versions
Dlink Dcs 6010l	All versions

Configuration E

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Dlink Dcs 7010l Firmware	Up to 1.08.01

Running on/with	Platform Versions
Dlink Dcs 7010l	All versions

Configuration F

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Dlink Dcs 2530l Firmware	Up to 1.00.21

Running on/with	Platform Versions
Dlink Dcs 2530l	All versions

Configuration G

1 vulnerable

Vulnerable Software	Affected Versions
Dlink Dcs 930l Firmware	Up to 1.15.04

Configuration H

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Dlink Dcs 930l Firmware	Up to 2.13.15

Running on/with	Platform Versions
Dlink Dcs 930l	All versions

Configuration I

1 vulnerable

Vulnerable Software	Affected Versions
Dlink Dcs 932l Firmware	Up to 1.13.04

Configuration J

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Dlink Dcs 932l Firmware	Up to 2.13.15

Running on/with	Platform Versions
Dlink Dcs 932l	All versions

Configuration K

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Dlink Dcs 934l Firmware	Up to 1.04.15

Running on/with	Platform Versions
Dlink Dcs 934l	All versions

Configuration L

1 vulnerable

Vulnerable Software	Affected Versions
Dlink Dcs 942l Firmware	Up to 1.27

Configuration M

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Dlink Dcs 942l Firmware	Up to 2.11.03

Running on/with	Platform Versions
Dlink Dcs 942l	All versions

Configuration N

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Dlink Dcs 931l Firmware	Up to 1.13.05

Running on/with	Platform Versions
Dlink Dcs 931l	All versions

Configuration O

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Dlink Dcs 933l Firmware	Up to 1.13.05

Running on/with	Platform Versions
Dlink Dcs 933l	All versions

Configuration P

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Dlink Dcs 5009l Firmware	Up to 1.07.05

Running on/with	Platform Versions
Dlink Dcs 5009l	All versions

Configuration Q

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Dlink Dcs 5010l Firmware	Up to 1.13.05

Running on/with	Platform Versions
Dlink Dcs 5010l	All versions

Configuration R

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Dlink Dcs 5020l Firmware	Up to 1.13.05

Running on/with	Platform Versions
Dlink Dcs 5020l	All versions

Configuration S

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Dlink Dcs 5000l Firmware	Up to 1.02.02

Running on/with	Platform Versions
Dlink Dcs 5000l	All versions

Configuration T

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Dlink Dcs 5025l Firmware	Up to 1.02.10

Running on/with	Platform Versions
Dlink Dcs 5025l	All versions

Configuration U

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Dlink Dcs 5030l Firmware	Up to 1.01.06

Running on/with	Platform Versions
Dlink Dcs 5030l	All versions

Configuration V

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Dlink Dcs 2210l Firmware	Up to 1.03.01

Running on/with	Platform Versions
Dlink Dcs 2210l	All versions

Configuration W

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Dlink Dcs 2136l Firmware	Up to 1.04.01

Running on/with	Platform Versions
Dlink Dcs 2136l	All versions

Configuration X

1 vulnerable

Vulnerable Software	Affected Versions
Dlink Dcs 2132l Firmware	Up to 1.08.01

Configuration Y

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Dlink Dcs 7000l Firmware	Up to 1.04.00

Running on/with	Platform Versions
Dlink Dcs 7000l	All versions

Configuration Z

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Dlink Dcs 6212l Firmware	Up to 1.00.12

Running on/with	Platform Versions
Dlink Dcs 6212l	All versions

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Dlink Dcs 5029l Firmware	Up to 1.12.00

Running on/with	Platform Versions
Dlink Dcs 5029l	All versions

Configuration B

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Dlink Dcs 2310l Firmware	Up to 2.03.00

Running on/with	Platform Versions
Dlink Dcs 2310l	All versions

Configuration C

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Dlink Dcs 2330l Firmware	Up to 1.13.00

Running on/with	Platform Versions
Dlink Dcs 2330l	All versions

Configuration D

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Dlink Dcs 2132l Firmware	Up to 2.12.00

Running on/with	Platform Versions
Dlink Dcs 2132l	All versions

Configuration E

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Dlink Dcs 5222l Firmware	Up to 2.12.00

Running on/with	Platform Versions
Dlink Dcs 5222l	All versions

Related CWEs

CWE-352

Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

References (2)

https://www.qualys.com/2017/02/22/qsa-2017-02-22/qsa-2017-02-22.pdf

Source: cve@mitre.org

ExploitMitigationThird Party Advisory

https://www.qualys.com/2017/02/22/qsa-2017-02-22/qsa-2017-02-22.pdf

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitMitigationThird Party Advisory

Timeline

No history available yet.