D-Link DIR-816L devices 2.x before 1.10b04Beta02 Exposure of Sensitive Information to an Unauthorized Actor Vulnerability

Summary

An issue was discovered on D-Link DIR-816L devices 2.x before 1.10b04Beta02. There exists an exposed administration function in getcfg.php, which can be used to call various services. 

Credit:

The information has been provided by Vendor

The original article can be found at:https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10169


Details

It can be utilized by an attacker to retrieve various sensitive information, such as admin login credentials, by setting the value of _POST_SERVICES in the query string to DEVICE.ACCOUNT.

 

Vulnerable Systems:

D-Link DIR-816L devices 2.x before 1.10b04Beta02

 

CVE Information:

CVE-2020-15894

 

Disclosure Timeline:
Published Date:7/22/2020

Categories: FeaturedNews