Vulnerabilities (CVE)

Filtered by vendor Dlink Subscribe
Total 1286 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2023-26615 1 Dlink 2 Dir-823g, Dir-823g Firmware 2024-11-21 N/A 7.5 HIGH
D-Link DIR-823G firmware version 1.02B05 has a password reset vulnerability, which originates from the SetMultipleActions API, allowing unauthorized attackers to reset the WEB page management password.
CVE-2023-26613 1 Dlink 2 Dir-823g, Dir-823g Firmware 2024-11-21 N/A 9.8 CRITICAL
An OS command injection vulnerability in D-Link DIR-823G firmware version 1.02B05 allows unauthorized attackers to execute arbitrary operating system commands via a crafted GET request to EXCU_SHELL.
CVE-2023-26612 1 Dlink 2 Dir-823g, Dir-823g Firmware 2024-11-21 N/A 9.8 CRITICAL
D-Link DIR-823G firmware version 1.02B05 has a buffer overflow vulnerability, which originates from the HostName field in SetParentsControlInfo.
CVE-2023-25282 1 Dlink 2 Dir-820l, Dir-820l Firmware 2024-11-21 N/A 6.5 MEDIUM
A heap overflow vulnerability in D-Link DIR820LA1_FW106B02 allows attackers to cause a denial of service via the config.log_to_syslog and log_opt_dropPackets parameters to mydlink_api.ccp.
CVE-2023-25281 1 Dlink 2 Dir820la1, Dir820la1 Firmware 2024-11-21 N/A 7.5 HIGH
A stack overflow vulnerability exists in pingV4Msg component in D-Link DIR820LA1_FW105B03, allows attackers to cause a denial of service via the nextPage parameter to ping.ccp.
CVE-2023-25280 1 Dlink 2 Dir820la1, Dir820la1 Firmware 2024-11-21 N/A 9.8 CRITICAL
OS Command injection vulnerability in D-Link DIR820LA1_FW105B03 allows attackers to escalate privileges to root via a crafted payload with the ping_addr parameter to ping.ccp.
CVE-2022-43648 1 Dlink 2 Dir-3040, Dir-3040 Firmware 2024-11-21 N/A 8.8 HIGH
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DIR-3040 1.20B03 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the MiniDLNA service. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the MiniDLNA service. Was ZDI-CAN-19910.
CVE-2022-43647 1 Dlink 4 Dir-825\/ac, Dir-825\/ac Firmware, Dir-825\/ee and 1 more 2024-11-21 N/A 8.8 HIGH
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DIR-825 1.0.9/EE routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the xupnpd service, which listens on TCP port 4044. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the admin user. Was ZDI-CAN-19464.
CVE-2022-43646 1 Dlink 4 Dir-825\/ac, Dir-825\/ac Firmware, Dir-825\/ee and 1 more 2024-11-21 N/A 8.8 HIGH
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DIR-825 1.0.9/EE routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the Vimeo plugin for the xupnpd service, which listens on TCP port 4044. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the admin user. Was ZDI-CAN-19463.
CVE-2022-43645 1 Dlink 4 Dir-825\/ac, Dir-825\/ac Firmware, Dir-825\/ee and 1 more 2024-11-21 N/A 8.8 HIGH
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DIR-825 1.0.9/EE routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the IVI plugin for the xupnpd service, which listens on TCP port 4044. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the admin user. Was ZDI-CAN-19462.
CVE-2022-43644 1 Dlink 4 Dir-825\/ac, Dir-825\/ac Firmware, Dir-825\/ee and 1 more 2024-11-21 N/A 8.8 HIGH
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DIR-825 1.0.9/EE routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the Dreambox plugin for the xupnpd service, which listens on TCP port 4044. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the admin user. Was ZDI-CAN-19461.
CVE-2022-43643 1 Dlink 4 Dir-825\/ac, Dir-825\/ac Firmware, Dir-825\/ee and 1 more 2024-11-21 N/A 8.8 HIGH
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DIR-825 1.0.9/EE routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the Generic plugin for the xupnpd service, which listens on TCP port 4044. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the admin user. Was ZDI-CAN-19460.
CVE-2022-43642 1 Dlink 4 Dir-825\/ac, Dir-825\/ac Firmware, Dir-825\/ee and 1 more 2024-11-21 N/A 8.8 HIGH
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DIR-825 1.0.9/EE routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the YouTube plugin for the xupnpd service, which listens on TCP port 4044. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the admin user. Was ZDI-CAN-19222.
CVE-2022-43633 1 Dlink 2 Dir-1935, Dir-1935 Firmware 2024-11-21 N/A 6.8 MEDIUM
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DIR-1935 1.03 routers. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the handling of SetSysLogSettings requests to the web management portal. When parsing the IPAddress element, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-16154.
CVE-2022-43632 1 Dlink 2 Dir-1935, Dir-1935 Firmware 2024-11-21 N/A 6.8 MEDIUM
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DIR-1935 1.03 routers. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the handling of SetQoSSettings requests to the web management portal. When parsing subelements within the QoSInfo element, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-16153.
CVE-2022-43631 1 Dlink 2 Dir-1935, Dir-1935 Firmware 2024-11-21 N/A 6.8 MEDIUM
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DIR-1935 1.03 routers. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the handling of SetVirtualServerSettings requests to the web management portal. When parsing subelements within the VirtualServerInfo element, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-16151.
CVE-2022-43630 1 Dlink 2 Dir-1935, Dir-1935 Firmware 2024-11-21 N/A 8.8 HIGH
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DIR-1935 1.03 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of http requests to the web management portal. When parsing the SOAPAction header, the process does not properly validate the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-16150.
CVE-2022-43629 1 Dlink 2 Dir-1935, Dir-1935 Firmware 2024-11-21 N/A 6.8 MEDIUM
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DIR-1935 1.03 routers. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the handling of SetSysEmailSettings requests to the web management portal. When parsing subelements within the SetSysEmailSettings element, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-16149.
CVE-2022-43628 1 Dlink 2 Dir-1935, Dir-1935 Firmware 2024-11-21 N/A 6.8 MEDIUM
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DIR-1935 1.03 routers. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the handling of SetIPv6FirewallSettings requests to the web management portal. When parsing subelements within the IPv6FirewallRule element, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-16148.
CVE-2022-43627 1 Dlink 2 Dir-1935, Dir-1935 Firmware 2024-11-21 N/A 6.8 MEDIUM
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DIR-1935 1.03 routers. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the handling of SetStaticRouteIPv4Settings requests to the web management portal. When parsing subelements within the StaticRouteIPv4Data element, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-16147.