8.8
CVE-2020-8863
- EPSS 1.77%
- Veröffentlicht 23.03.2020 21:15:12
- Zuletzt bearbeitet 21.11.2024 05:39:35
- Quelle zdi-disclosures@trendmicro.com
- CVE-Watchlists
- Unerledigt
LoginThis vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DIR-867, DIR-878, and DIR-882 routers with firmware 1.10B04. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of HNAP login requests. The issue results from the lack of proper implementation of the authentication algorithm. An attacker can leverage this vulnerability to escalate privileges and execute code in the context of the router. Was ZDI-CAN-9470.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Dlink ≫ Dir-878 Firmware Version <= 1.20b03
Dlink ≫ Dir-882 Firmware Version <= 1.10b04
Dlink ≫ Dir-867 Firmware Version <= 1.10b04
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 1.77% | 0.821 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 8.8 | 2.8 | 5.9 |
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 8.3 | 6.5 | 10 |
AV:A/AC:L/Au:N/C:C/I:C/A:C
|
| zdi-disclosures@trendmicro.com | 8.8 | 2.8 | 5.9 |
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
CWE-287 Improper Authentication
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
CWE-303 Incorrect Implementation of Authentication Algorithm
The requirements for the product dictate the use of an established authentication algorithm, but the implementation of the algorithm is incorrect.