CVE-2021-27250

Published: Apr 14, 2021Modified: Jun 17, 2026

6.5

Vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of D-Link DAP-2020 v1.01rc001 Wi-Fi access points. Authentication is not required to exploit this vulnerability. The specific flaw exists within the processing of CGI scripts. When parsing the errorpage request parameter, the process does not properly validate a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-11856.

Affected (1)

Products: Dlink: Dap 2020 Firmware

1 product

Dap 2020 Firmware

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Dlink Dap 2020 Firmware	Version 1.01 rc001

Running on/with	Platform Versions
Dlink Dap 2020	All versions

Related CWEs

External Control of File Name or Path

The product allows user input to control or influence paths or file names that are used in filesystem operations.

References (4)

https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10201

Source: zdi-disclosures@trendmicro.com

PatchVendor Advisory

https://www.zerodayinitiative.com/advisories/ZDI-21-205/

Source: zdi-disclosures@trendmicro.com

Third Party AdvisoryVDB Entry

https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10201

Source: af854a3a-2127-422b-91ae-364da2661108

PatchVendor Advisory

https://www.zerodayinitiative.com/advisories/ZDI-21-205/

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryVDB Entry

Timeline

No history available yet.