Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2018-12710

From: Kevin R <krandall2013 () gmail com>
Date: Mon, 27 Aug 2018 15:31:03 -0400
An issue was discovered on D-Link DIR-601 2.02NA devices. Being local
to the network and having only "User" account (which is a low
privilege account) access, an attacker can intercept the response from
a POST request to obtain "Admin" rights due to the admin password
being displayed in XML.

------------------------------------------

[Vulnerability Type]
Insecure Permissions

------------------------------------------

[VulnerabilityType Other]
Privilege Escalation

------------------------------------------

[Vendor of Product]
D-Link

------------------------------------------

[Affected Product Code Base]
DIR-601 - 2.02NA

------------------------------------------

[Attack Type]
Local

------------------------------------------

[Impact Escalation of Privileges]
true

------------------------------------------

[Impact Information Disclosure]
true

------------------------------------------

[Has vendor confirmed or acknowledged the vulnerability?]
true

------------------------------------------

[Discoverer]
Kevin Randall


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: