D-Link DAP-1360 webproc WEB_DisplayPage Directory Traversal Information Disclosure Vulnerability
CVE-2023-32137

4.3MEDIUM

Key Information:

Vendor: D-link
Status: Dap-1360
Vendor: CVE Published:; 3 May 2024

Summary

The D-Link DAP-1360 router is susceptible to an information disclosure vulnerability that arises from improper processing of requests directed at the /cgi-bin/webproc endpoint. This flaw results from the absence of adequate validation of user-supplied path inputs, enabling an attacker with network access to exploit this issue without any authentication. By leveraging this vulnerability, attackers can gain unauthorized access to sensitive information stored on the device, potentially disclosing data in the context of root. It poses a significant risk to the confidentiality of information within affected installations.

Affected Version(s)

DAP-1360 6.14B01 EU HOTFIX

References

https://www.zerodayinitiative.com/advisories/ZDI-23-529/

x_research-advisory

https://supportannouncement.us.dlink.com/announcement/pub...

vendor-advisory

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 3, 2024
Vulnerability Reserved
May 3, 2023