D Link D Link

Do you want an email whenever new security vulnerabilities are reported in any D Link product?

Products by D Link Sorted by Most Security Vulnerabilities since 2018

D Link Central Wifimanager6 vulnerabilities

D Link Dvg N5412sp1 vulnerability

D Link Mydlink1 vulnerability

By the Year

In 2022 there have been 0 vulnerabilities in D Link . D Link did not have any published security vulnerabilities last year.

Year Vulnerabilities Average Score
2022 0 0.00
2021 0 0.00
2020 1 7.50
2019 2 7.20
2018 6 7.65

It may take a day or so for new D Link vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent D Link Security Vulnerabilities

The Open Connectivity Foundation UPnP specification before 2020-04-17 does not forbid the acceptance of a subscription request with a delivery URL on a different network segment than the fully qualified event-subscription URL

CVE-2020-12695 7.5 - High - June 08, 2020

The Open Connectivity Foundation UPnP specification before 2020-04-17 does not forbid the acceptance of a subscription request with a delivery URL on a different network segment than the fully qualified event-subscription URL, aka the CallStranger issue.

Incorrect Default Permissions

The FTP service on D-Link Central WiFiManager CWM-100 1.03 r0098 devices

CVE-2018-15516 5.8 - Medium - January 31, 2019

The FTP service on D-Link Central WiFiManager CWM-100 1.03 r0098 devices allows remote attackers to conduct a PORT command bounce scan via port 8000, resulting in SSRF.

XSPA

The MailConnect feature on D-Link Central WiFiManager CWM-100 1.03 r0098 devices is intended to check a connection to an SMTP server but actually

CVE-2018-15517 8.6 - High - January 31, 2019

The MailConnect feature on D-Link Central WiFiManager CWM-100 1.03 r0098 devices is intended to check a connection to an SMTP server but actually allows outbound TCP to any port on any IP address, leading to SSRF, as demonstrated by an index.php/System/MailConnect/host/127.0.0.1/port/22/secure/ URI.

XSPA

An issue was discovered in D-Link 'myDlink Baby App' version 2.04.06

CVE-2018-18767 7 - High - December 20, 2018

An issue was discovered in D-Link 'myDlink Baby App' version 2.04.06. Whenever actions are performed from the app (e.g., change camera settings or play lullabies), it communicates directly with the Wi-Fi camera (D-Link 825L firmware 1.08) with the credentials (username and password) in base64 cleartext. An attacker could conduct an MitM attack on the local network and very easily obtain these credentials.

Inadequate Encryption Strength

An issue was discovered on D-Link Central WiFi Manager before v 1.03r0100-Beta1

CVE-2018-17440 9.8 - Critical - October 08, 2018

An issue was discovered on D-Link Central WiFi Manager before v 1.03r0100-Beta1. They expose an FTP server that serves by default on port 9000 and has hardcoded credentials (admin, admin). Taking advantage of this, a remote unauthenticated attacker could execute arbitrary PHP code by uploading any file in the web root directory and then accessing it via a request.

Unrestricted File Upload

An issue was discovered on D-Link Central WiFi Manager before v 1.03r0100-Beta1

CVE-2018-17441 6.1 - Medium - October 08, 2018

An issue was discovered on D-Link Central WiFi Manager before v 1.03r0100-Beta1. The 'username' parameter of the addUser endpoint is vulnerable to stored XSS.

XSS

An issue was discovered on D-Link Central WiFi Manager before v 1.03r0100-Beta1

CVE-2018-17442 8.8 - High - October 08, 2018

An issue was discovered on D-Link Central WiFi Manager before v 1.03r0100-Beta1. An unrestricted file upload vulnerability in the onUploadLogPic endpoint allows remote authenticated users to execute arbitrary PHP code.

Unrestricted File Upload

An issue was discovered on D-Link Central WiFi Manager before v 1.03r0100-Beta1

CVE-2018-17443 6.1 - Medium - October 08, 2018

An issue was discovered on D-Link Central WiFi Manager before v 1.03r0100-Beta1. The 'sitename' parameter of the UpdateSite endpoint is vulnerable to stored XSS.

XSS

An issue was discovered in D-Link mydlink+ 3.8.5 build 259 for DCS-933L 1.05.04 and DCS-934L 1.05.04 devices

CVE-2018-7698 8.1 - High - March 05, 2018

An issue was discovered in D-Link mydlink+ 3.8.5 build 259 for DCS-933L 1.05.04 and DCS-934L 1.05.04 devices. The mydlink+ app sends the username and password for connected D-Link cameras (such as DCS-933L and DCS-934L) unencrypted from the app to the camera, allowing attackers to obtain these credentials and gain control of the camera including the ability to view the camera's stream and make changes without the user's knowledge.

Insufficiently Protected Credentials

Built by Foundeo Inc., with data from the National Vulnerability Database (NVD), Icons by Icons8. Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.