← Back

CVE-2020-15633

nvd nist
Published: Jul 23, 2020Modified: Nov 21, 2024

JSON object

Loading...
8.8
Vector
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploitability: 2.8 / Impact: 5.9
Source: NVD

Description

This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DIR-867, DIR-878, and DIR-882 routers with firmware 1.20B10_BETA. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of HNAP requests. The issue results from incorrect string matching logic when accessing protected pages. An attacker can leverage this vulnerability to escalate privileges and execute code in the context of the router. Was ZDI-CAN-10835.

Affected (3)

D Link
3 products
Dir 867 Firmware
Dir 878 Firmware
Dir 882 Firmware
Configuration A
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
Dir 867 Firmware
Up to 1.20b10
Running on/withPlatform Versions
Dlink
Dir 867
All versions
Configuration B
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
Dir 878 Firmware
Up to 1.20b05
Running on/withPlatform Versions
Dlink
Dir 878
All versions
Configuration C
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
Dir 882 Firmware
All versions
Running on/withPlatform Versions
Dlink
Dir 882
All versions

Related CWEs

CWE-288
Authentication Bypass Using an Alternate Path or Channel
A product requires authentication, but the product has an alternate path or channel that does not require authentication.

References (4)

Source: zdi-disclosures@trendmicro.com
Vendor Advisory
Source: zdi-disclosures@trendmicro.com
Third Party AdvisoryVDB Entry
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party AdvisoryVDB Entry

Timeline

No history available yet.