Cross-Site Scripting and Information Disclosure Vulnerability in D-Link DCS-1130
CVE-2017-8406

8.8HIGH

Key Information:

Vendor
D-Link
Status
Dcs-1130 Firmware
Vendor
CVE Published:
2 July 2019

Summary

A security issue has been identified in D-Link DCS-1130 devices, where the device exposes a crossdomain.xml file without access restrictions. This vulnerability allows any hosted flash file from any domain to interact with the device's webserver, potentially leaking sensitive user information, including credentials stored in clear text. Additionally, the lack of a cross-site request forgery (CSRF) protection mechanism enables attackers to manipulate logged-in users, executing unauthorized actions on the web management interface. This can lead to credential theft from the device's responses, significantly compromising user security.

References

https://seclists.org/bugtraq/2019/Jun/8
mailing-listx_refsource_BUGTRAQ
http://packetstormsecurity.com/files/153226/Dlink-DCS-113...
x_refsource_MISC
https://github.com/ethanhunnt/IoT_vulnerabilities/blob/ma...
x_refsource_MISC

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.