D-Link DAR-7000 workidajax.php sql injection
CVE-2023-6581

9.8CRITICAL

Key Information:

Vendor
D-Link
Status
DAR-7000
Vendor
CVE Published:
7 December 2023

Summary

A serious SQL injection vulnerability has been identified within the D-Link DAR-7000 router, specifically affecting the /user/inc/workidajax.php file. This weakness is triggered by manipulating the 'id' parameter, which can lead to unauthorized access to the database. This vulnerability has been publicly disclosed, raising concerns about potential exploitation by malicious actors. Despite the early notification to D-Link regarding this vulnerability, there has been no response from the vendor, highlighting the urgency for affected users to take immediate steps to secure their networks.

Affected Version(s)

DAR-7000 20231126

References

https://vuldb.com/?id.247162
vdb-entrytechnical-description
https://vuldb.com/?ctiid.247162
signaturepermissions-required
https://github.com/flyyue2001/cve/blob/main/D-LINK%20-DAR...
exploit

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

wangfei (VulDB User)
.