Cross-Site Scripting in D-Link DIR-816L and DIR-803 Devices
CVE-2020-25786

6.1MEDIUM

Key Information:

Vendor

D-Link
Status
Dir-803 Firmware
Vendor
CVE Published:
19 September 2020

What is CVE-2020-25786?

A Cross-Site Scripting (XSS) vulnerability exists in the web interface of D-Link DIR-816L and DIR-803 devices allowing attackers to inject malicious scripts through the HTTP Referer header. This issue primarily affects models that are no longer supported by D-Link, potentially leaving users vulnerable to attacks. While URL encoding may mitigate exploitation risks, specific conditions, such as the use of Internet Explorer, may enable successful attacks. It is crucial for users of these devices to be aware of this vulnerability and consider upgrading to supported models to ensure their network security.

References

https://supportannouncement.us.dlink.com/announcement/pub...
x_refsource_MISC
https://github.com/sek1th/iot/blob/master/DIR-816L_XSS.md
x_refsource_MISC

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.