Lucene search

[email protected]NVD:CVE-2020-25786

HistorySep 19, 2020 - 8:15 p.m.

CVE-2020-25786

2020-09-1920:15:11

CWE-79

[email protected]

web.nvd.nist.gov

d-link dir-816l

dir-803

xss vulnerability

http referer header

not exploitable

url encoding

internet explorer

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

44.6%

JSON

webinc/js/info.php on D-Link DIR-816L 2.06.B09_BETA and DIR-803 1.04.B02 devices allows XSS via the HTTP Referer header. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: this is typically not exploitable because of URL encoding (except in Internet Explorer) and because a web page cannot specify that a client should make an additional HTTP request with an arbitrary Referer header

Affected configurations

Nvd

Node

dlinkdir-803_firmwareMatch1.04.b02

AND

dlinkdir-803Matcha1

Node

dlinkdir-816l_firmwareMatch2.06

dlinkdir-816l_firmwareMatch2.06.b09beta

AND

dlinkdir-816lMatchb1

Node

dlinkdir-645_firmwareMatch1.06b01

AND

dlinkdir-645Matcha1

Node

dlinkdir-815_firmwareMatch2.07.b01

AND

dlinkdir-815Matchb1

Node

dlinkdir-860l_firmwareMatch1.10b04

AND

dlinkdir-860lMatcha1

Node

dlinkdir-865l_firmwareMatch1.08b01

AND

dlinkdir-865lMatcha1

VendorProductVersionCPE
dlinkdir-803_firmware1.04.b02cpe:2.3:o:dlink:dir-803_firmware:1.04.b02:*:*:*:*:*:*:*
dlinkdir-803a1cpe:2.3:h:dlink:dir-803:a1:*:*:*:*:*:*:*
dlinkdir-816l_firmware2.06cpe:2.3:o:dlink:dir-816l_firmware:2.06:*:*:*:*:*:*:*
dlinkdir-816l_firmware2.06.b09cpe:2.3:o:dlink:dir-816l_firmware:2.06.b09:beta:*:*:*:*:*:*
dlinkdir-816lb1cpe:2.3:h:dlink:dir-816l:b1:*:*:*:*:*:*:*
dlinkdir-645_firmware1.06b01cpe:2.3:o:dlink:dir-645_firmware:1.06b01:*:*:*:*:*:*:*
dlinkdir-645a1cpe:2.3:h:dlink:dir-645:a1:*:*:*:*:*:*:*
dlinkdir-815_firmware2.07.b01cpe:2.3:o:dlink:dir-815_firmware:2.07.b01:*:*:*:*:*:*:*
dlinkdir-815b1cpe:2.3:h:dlink:dir-815:b1:*:*:*:*:*:*:*
dlinkdir-860l_firmware1.10b04cpe:2.3:o:dlink:dir-860l_firmware:1.10b04:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
dlink	dir-803_firmware	1.04.b02	cpe:2.3:o:dlink:dir-803_firmware:1.04.b02:::::::*
dlink	dir-803	a1	cpe:2.3:h:dlink:dir-803:a1:::::::*
dlink	dir-816l_firmware	2.06	cpe:2.3:o:dlink:dir-816l_firmware:2.06:::::::*
dlink	dir-816l_firmware	2.06.b09	cpe:2.3:o:dlink:dir-816l_firmware:2.06.b09:beta::::::
dlink	dir-816l	b1	cpe:2.3:h:dlink:dir-816l:b1:::::::*
dlink	dir-645_firmware	1.06b01	cpe:2.3:o:dlink:dir-645_firmware:1.06b01:::::::*
dlink	dir-645	a1	cpe:2.3:h:dlink:dir-645:a1:::::::*
dlink	dir-815_firmware	2.07.b01	cpe:2.3:o:dlink:dir-815_firmware:2.07.b01:::::::*
dlink	dir-815	b1	cpe:2.3:h:dlink:dir-815:b1:::::::*
dlink	dir-860l_firmware	1.10b04	cpe:2.3:o:dlink:dir-860l_firmware:1.10b04:::::::*

Rows per page:

1-10 of 131

References

github.com/sek1th/iot/blob/master/DIR-816L_XSS.md

supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10190

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

44.6%

JSON

Related for NVD:CVE-2020-25786

cvelist1 prion1 cve1