CVE-2014-7857

CWE-287 — Improper Authentication3 documents3 sources

Severity

9.8CRITICAL

EPSS

2.0%

top 16.34%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

D-link Dnr-326 Firmware D-link Dns-320b Firmware D-link Dns-320l Firmware +4 more

Timeline

PublishedAug 25

Latest updateMay 14

Description

D-Link DNS-320L firmware before 1.04b12, DNS-327L before 1.03b04 Build0119, DNR-326 1.40b03, DNS-320B 1.02b01, DNS-345 1.03b06, DNS-325 1.05b03, and DNS-322L 2.00b07 allow remote attackers to bypass authentication and log in with administrator permissions by passing the cgi_set_wto command in the cmd parameter, and setting the spawned session's cookie to username=admin.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages7 packages

▶NVDd-link/dns-320b_firmware1.02b01

▶NVDd-link/dns-320l_firmware1.03b04

▶NVDd-link/dns-322l_firmware2.00b07

▶NVDd-link/dns-327l_firmware1.02

▶NVDd-link/dnr-326_firmware1.40b03

🔴Vulnerability Details

GHSA

GHSA-586h-8q3m-f5hh: D-Link DNS-320L firmware before 1↗2022-05-14

▶

CVEList

CVE-2014-7857: D-Link DNS-320L firmware before 1↗2017-08-25

▶