Show filters
11 Total Results
Displaying 1-10 of 11
Sort by:
Attacker Value
Unknown

CVE-2020-18568

Disclosure Date: February 02, 2021 (last updated February 22, 2025)
The D-Link DSR-250 (3.14) DSR-1000N (2.11B201) UPnP service contains a command injection vulnerability, which can cause remote command execution.
Attacker Value
Unknown

CVE-2020-25758

Disclosure Date: December 15, 2020 (last updated February 22, 2025)
An issue was discovered on D-Link DSR-250 3.17 devices. Insufficient validation of configuration file checksums could allow a remote, authenticated attacker to inject arbitrary crontab entries into saved configurations before uploading. These entries are executed as root.
Attacker Value
Unknown

CVE-2020-25757

Disclosure Date: December 15, 2020 (last updated February 22, 2025)
A lack of input validation and access controls in Lua CGIs on D-Link DSR VPN routers may result in arbitrary input being passed to system command APIs, resulting in arbitrary command execution with root privileges. This affects DSR-150, DSR-250, DSR-500, and DSR-1000AC with firmware 3.14 and 3.17.
Attacker Value
Unknown

CVE-2020-25759

Disclosure Date: December 15, 2020 (last updated February 22, 2025)
An issue was discovered on D-Link DSR-250 3.17 devices. Certain functionality in the Unified Services Router web interface could allow an authenticated attacker to execute arbitrary commands, due to a lack of validation of inputs provided in multipart HTTP POST requests.
Attacker Value
Unknown

CVE-2020-26567

Disclosure Date: October 08, 2020 (last updated February 22, 2025)
An issue was discovered on D-Link DSR-250N before 3.17B devices. The CGI script upgradeStatusReboot.cgi can be accessed without authentication. Any access reboots the device, rendering it therefore unusable for several minutes.
Attacker Value
Unknown

CVE-2012-6614

Disclosure Date: February 19, 2020 (last updated February 21, 2025)
D-Link DSR-250N devices before 1.08B31 allow remote authenticated users to obtain "persistent root access" via the BusyBox CLI, as demonstrated by overwriting the super user password.
Attacker Value
Unknown

CVE-2013-5945

Disclosure Date: February 11, 2020 (last updated February 21, 2025)
Multiple SQL injection vulnerabilities in D-Link DSR-150 with firmware before 1.08B44; DSR-150N with firmware before 1.05B64; DSR-250 and DSR-250N with firmware before 1.08B44; and DSR-500, DSR-500N, DSR-1000, and DSR-1000N with firmware before 1.08B77 allow remote attackers to execute arbitrary SQL commands via the password to (1) the login.authenticate function in share/lua/5.1/teamf1lualib/login.lua or (2) captivePortal.lua.
Attacker Value
Unknown

CVE-2012-6613

Disclosure Date: January 25, 2020 (last updated November 28, 2024)
D-Link DSR-250N devices with firmware 1.05B73_WW allow Persistent Root Access because of the admin password for the admin account.
Attacker Value
Unknown

CVE-2013-7005

Disclosure Date: December 19, 2013 (last updated October 05, 2023)
D-Link DSR-150 with firmware before 1.08B44; DSR-150N with firmware before 1.05B64; DSR-250 and DSR-250N with firmware before 1.08B44; and DSR-500, DSR-500N, DSR-1000, and DSR-1000N with firmware before 1.08B77 stores account passwords in cleartext, which allows local users to obtain sensitive information by reading the Users[#]["Password"] fields in /tmp/teamf1.cfg.ascii.
0
Attacker Value
Unknown

CVE-2013-5946

Disclosure Date: December 19, 2013 (last updated October 05, 2023)
The runShellCmd function in systemCheck.htm in D-Link DSR-150 with firmware before 1.08B44; DSR-150N with firmware before 1.05B64; DSR-250 and DSR-250N with firmware before 1.08B44; and DSR-500, DSR-500N, DSR-1000, and DSR-1000N with firmware before 1.08B77 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) "Ping or Trace an IP Address" or (2) "Perform a DNS Lookup" section.
0