Broken Access Control in D-Link DSL-2680 Web Administration Interface
CVE-2019-19224

7.5HIGH

Key Information:

Vendor
D-Link
Status
Dsl-2680 Firmware
Vendor
CVE Published:
4 March 2020

Summary

A vulnerability has been identified in the D-Link DSL-2680 web administration interface, specifically in Firmware version EU_1.03. This issue allows unauthorized users to exploit broken access control mechanisms and download sensitive configuration files by sending a GET request to the rom-0 endpoint without proper authentication. As a result, attackers may gain access to critical binary files that could compromise the security of the device.

References

https://www.ftc.gov/system/files/documents/cases/dlink_pr...
x_refsource_MISC
https://www.dlink.com/en/security-bulletin
x_refsource_MISC
https://github.com/0x8b30cc/DSL-2680-Multiple-Vulnerabili...
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.