Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

CVE-2017-8406

UNKNOWN
Published 2019-07-02T19:05:07
Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2017-8406. We'll provide specific mitigation strategies based on your environment and risk profile.

No CVSS data available

Description

An issue was discovered on D-Link DCS-1130 devices. The device provides a crossdomain.xml file with no restrictions on who can access the webserver. This allows an hosted flash file on any domain to make calls to the device's webserver and pull any information that is stored on the device. In this case, user's credentials are stored in clear text on the device and can be pulled easily. It also seems that the device does not implement any cross-site scripting forgery protection mechanism which allows an attacker to trick a user who is logged in to the web management interface into executing a cross-site flashing attack on the user's browser and execute any action on the device provided by the web management interface which steals the credentials from tools_admin.cgi file's response and displays it inside a Textfield.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

⚠ Unreviewed HIGH

GHSA-8j5x-5pgf-hfjf

Advisory Details

An issue was discovered on D-Link DCS-1130 devices. The device provides a crossdomain.xml file with no restrictions on who can access the webserver. This allows an hosted flash file on any domain to make calls to the device's webserver and pull any information that is stored on the device. In this case, user's credentials are stored in clear text on the device and can be pulled easily. It also seems that the device does not implement any cross-site scripting forgery protection mechanism which allows an attacker to trick a user who is logged in to the web management interface into executing a cross-site flashing attack on the user's browser and execute any action on the device provided by the web management interface which steals the credentials from tools_admin.cgi file's response and displays it inside a Textfield.

CVSS Scoring

CVSS Score

7.5

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2017-8406
WEB https://github.com/ethanhunnt/IoT_vulnerabilities/blob/master/Dlink_DCS_1130_security.pdf
WEB https://seclists.org/bugtraq/2019/Jun/8
WEB http://packetstormsecurity.com/files/153226/Dlink-DCS-1130-Command-Injection-CSRF-Stack-Overflow.html

Advisory provided by GitHub Security Advisory Database. Published: May 24, 2022, Modified: May 24, 2022

References

https://seclists.org/bugtraq/2019/Jun/8
http://packetstormsecurity.com/files/153226/Dlink-DCS-1130-Command-Injection-CSRF-Stack-Overflow.html
https://github.com/ethanhunnt/IoT_vulnerabilities/blob/master/Dlink_DCS_1130_security.pdf
Published: 2019-07-02T19:05:07
Last Modified: 2024-08-05T16:34:23.211Z
Copied to clipboard!