Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2018-17777

An issue was discovered on D-Link DVA-5592 A1_WI_20180823 devices. If the PIN of the page "/ui/cbpc/login" is the default Parental Control PIN (0000), it is possible to bypass the login form by editing the path of the cookie "sid" generated by the page. The attacker will have access to the router control panel with administrator privileges.

Published

2018-12-18T22:29:04.790

Last Modified

2024-11-21T03:54:57.460

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 9.8 (CRITICAL)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: PARTIAL

Exploitability Score

10.0

Impact Score

6.4

Weaknesses

Type: Primary
CWE-287

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Operating System	dlink	dva-5592_firmware	a1_wi_20180823	Yes
Hardware	dlink	dva-5592	-	No

References

https://www.gubello.me/blog/router-dlink-dva-5592-authentication-bypass/ Mitigation, Third Party Advisory ([email protected])
https://www.gubello.me/blog/router-dlink-dva-5592-authentication-bypass/ Mitigation, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)