Lucene search

[email protected]CVE-2018-6212

HistoryJun 20, 2018 - 4:29 p.m.

CVE-2018-6212

2018-06-2016:29:00

CWE-79

[email protected]

web.nvd.nist.gov

d-link

dir-620

firmware

xss

vulnerability

cve-2018-6212

nvd

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

46.0%

JSON

On D-Link DIR-620 devices with a certain customized (by ISP) variant of firmware 1.0.3, 1.0.37, 1.3.1, 1.3.3, 1.3.7, 1.4.0, and 2.0.22, a reflected Cross-Site Scripting (XSS) attack is possible as a result of missed filtration for special characters in the “Search” field and incorrect processing of the XMLHttpRequest object.

Affected configurations

NVD

Node

d-linkdir-620_firmwareMatch1.0.3

d-linkdir-620_firmwareMatch1.0.37

d-linkdir-620_firmwareMatch1.3.1

d-linkdir-620_firmwareMatch1.3.3

d-linkdir-620_firmwareMatch1.3.7

d-linkdir-620_firmwareMatch1.4.0

d-linkdir-620_firmwareMatch2.0.22

AND

dlinkdir-620Match-

CPENameOperatorVersion
d-link:dir-620_firmwared-link dir-620 firmwareeq1.0.3
d-link:dir-620_firmwared-link dir-620 firmwareeq1.0.37
d-link:dir-620_firmwared-link dir-620 firmwareeq1.3.1
d-link:dir-620_firmwared-link dir-620 firmwareeq1.3.3
d-link:dir-620_firmwared-link dir-620 firmwareeq1.3.7
d-link:dir-620_firmwared-link dir-620 firmwareeq1.4.0
d-link:dir-620_firmwared-link dir-620 firmwareeq2.0.22

CPE	Name	Operator	Version
d-link:dir-620_firmware	d-link dir-620 firmware	eq	1.0.3
d-link:dir-620_firmware	d-link dir-620 firmware	eq	1.0.37
d-link:dir-620_firmware	d-link dir-620 firmware	eq	1.3.1
d-link:dir-620_firmware	d-link dir-620 firmware	eq	1.3.3
d-link:dir-620_firmware	d-link dir-620 firmware	eq	1.3.7
d-link:dir-620_firmware	d-link dir-620 firmware	eq	1.4.0
d-link:dir-620_firmware	d-link dir-620 firmware	eq	2.0.22

References

www.securitynewspaper.com/2018/05/25/d-link-dir-620-routers-critical-vulnerabilities/

securelist.com/backdoors-in-d-links-backyard/85530/

securityaffairs.co/wordpress/72839/hacking/d-link-dir-620-flaws.html

www.bleepingcomputer.com/news/security/backdoor-account-found-in-d-link-dir-620-routers/

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

46.0%

JSON

Related for CVE-2018-6212

nvd1 cvelist1 prion1 securelist1