cbcvebase.
CVE-2014-7857
published 2017-08-25

CVE-2014-7857: D-Link DNS-320L firmware before 1.04b12, DNS-327L before 1.03b04 Build0119, DNR-326 1.40b03, DNS-320B 1.02b01, DNS-345 1.03b06, DNS-325 1.05b03, and DNS-322L…

critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
D-Link DNS-320L firmware before 1.04b12, DNS-327L before 1.03b04 Build0119, DNR-326 1.40b03, DNS-320B 1.02b01, DNS-345 1.03b06, DNS-325 1.05b03, and DNS-322L 2.00b07 allow remote attackers to bypass authentication and log in with administrator permissions by passing the cgi_set_wto command in the cmd parameter, and setting the spawned session's cookie to username=admin.

Affected

7 ranges
VendorProductVersion rangeFixed in
d-linkdnr-326_firmware<= 1.40b03
d-linkdns-320b_firmware<= 1.02b01
d-linkdns-320l_firmware<= 1.03b04
d-linkdns-322l_firmware<= 2.00b07
d-linkdns-325_firmware<= 1.05b03
d-linkdns-327l_firmware<= 1.02
d-linkdns-345_firmware<= 1.03b06