8.8
CVE-2017-7852
- EPSS 1%
- Published 24.04.2017 10:59:00
- Last modified 20.04.2025 01:37:25
- Source cve@mitre.org
- Teams watchlist Login
- Open Login
D-Link DCS cameras have a weak/insecure CrossDomain.XML file that allows sites hosting malicious Flash objects to access and/or change the device's settings via a CSRF attack. This is because of the 'allow-access-from domain' child element set to *, thus accepting requests from any domain. If a victim logged into the camera's web console visits a malicious site hosting a malicious Flash file from another Browser tab, the malicious Flash file then can send requests to the victim's DCS series Camera without knowing the credentials. An attacker can host a malicious Flash file that can retrieve Live Feeds or information from the victim's DCS series Camera, add new admin users, or make other changes to the device. Known affected devices are DCS-933L with firmware before 1.13.05, DCS-5030L, DCS-5020L, DCS-2530L, DCS-2630L, DCS-930L, DCS-932L, and DCS-932LB1.
Data is provided by the National Vulnerability Database (NVD)
Dlink ≫ Dcs-2230l Firmware Version <= 1.03.01
Dlink ≫ Dcs-2310l Firmware Version <= 1.08.01
Dlink ≫ Dcs-2332l Firmware Version <= 1.08.01
Dlink ≫ Dcs-6010l Firmware Version <= 1.15.01
Dlink ≫ Dcs-7010l Firmware Version <= 1.08.01
Dlink ≫ Dcs-2530l Firmware Version <= 1.00.21
Dlink ≫ Dcs-930l Firmware Version <= 1.15.04
Dlink ≫ Dcs-930l Firmware Version <= 2.13.15
Dlink ≫ Dcs-932l Firmware Version <= 1.13.04
Dlink ≫ Dcs-932l Firmware Version <= 2.13.15
Dlink ≫ Dcs-934l Firmware Version <= 1.04.15
Dlink ≫ Dcs-942l Firmware Version <= 1.27
Dlink ≫ Dcs-942l Firmware Version <= 2.11.03
Dlink ≫ Dcs-931l Firmware Version <= 1.13.05
Dlink ≫ Dcs-933l Firmware Version <= 1.13.05
Dlink ≫ Dcs-5009l Firmware Version <= 1.07.05
Dlink ≫ Dcs-5010l Firmware Version <= 1.13.05
Dlink ≫ Dcs-5020l Firmware Version <= 1.13.05
Dlink ≫ Dcs-5000l Firmware Version <= 1.02.02
Dlink ≫ Dcs-5025l Firmware Version <= 1.02.10
Dlink ≫ Dcs-5030l Firmware Version <= 1.01.06
Dlink ≫ Dcs-2210l Firmware Version <= 1.03.01
Dlink ≫ Dcs-2136l Firmware Version <= 1.04.01
Dlink ≫ Dcs-2132l Firmware Version <= 1.08.01
Dlink ≫ Dcs-7000l Firmware Version <= 1.04.00
Dlink ≫ Dcs-6212l Firmware Version <= 1.00.12
Dlink ≫ Dcs-5029l Firmware Version <= 1.12.00
Dlink ≫ Dcs-2310l Firmware Version <= 2.03.00
Dlink ≫ Dcs-2330l Firmware Version <= 1.13.00
Dlink ≫ Dcs-2132l Firmware Version <= 2.12.00
Dlink ≫ Dcs-5222l Firmware Version <= 2.12.00
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Type | Source | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 1% | 0.76 |
| Source | Base Score | Exploit Score | Impact Score | Vector string |
|---|---|---|---|---|
| nvd@nist.gov | 8.8 | 2.8 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 6.8 | 8.6 | 6.4 |
AV:N/AC:M/Au:N/C:P/I:P/A:P
|
CWE-352 Cross-Site Request Forgery (CSRF)
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.