CVE-2020-15896

Published: Jul 22, 2020Modified: Jun 17, 2026

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

An authentication-bypass issue was discovered on D-Link DAP-1522 devices 1.4x before 1.10b04Beta02. There exist a few pages that are directly accessible by any unauthorized user, e.g., logout.php and login.php. This occurs because of checking the value of NO_NEED_AUTH. If the value of NO_NEED_AUTH is 1, the user has direct access to the webpage without any authentication. By appending a query string NO_NEED_AUTH with the value of 1 to any protected URL, any unauthorized user can access the application directly, as demonstrated by bsc_lan.php?NO_NEED_AUTH=1.

Affected (2)

Products: Dlink: Dap 1522 Firmware

1 product

Dap 1522 Firmware

Configuration A

2 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Dlink Dap 1522 Firmware	Version 1.41
Dlink Dap 1522 Firmware	Version 1.42

Running on/with	Platform Versions
Dlink Dap 1522	Version a1

Related CWEs

Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

References (4)

https://research.loginsoft.com/bugs/authentication-bypass-in-d-link-firmware-dap-1522/

Source: cve@mitre.org

Third Party Advisory

https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10169

Source: cve@mitre.org

PatchVendor Advisory

https://research.loginsoft.com/bugs/authentication-bypass-in-d-link-firmware-dap-1522/

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10169

Source: af854a3a-2127-422b-91ae-364da2661108

PatchVendor Advisory

Timeline

No history available yet.