D-Link DIR-130 firmware version 1.23 and DIR-330 firmware version 1.12 do not sufficiently protect administrator credentials. The tools_admin.asp page discloses the administrator password in base64 encoding in the returned web page. A remote attacker with access to this page (potentially through a authentication bypass such as CVE-2017-3191) may obtain administrator credentials for the device.
[
{
"product": "DIR-130",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "1.23"
}
]
},
{
"product": "DIR-330",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "1.12"
}
]
}
]