CVE-2017-7404

CWE-352Cross-Site Request Forgery (CSRF)3 documents3 sources
Severity
8.8HIGH
EPSS
0.3%
top 45.64%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Dlink Dir-615
Timeline
PublishedJul 7
Latest updateMay 24

Description

On the D-Link DIR-615 before v20.12PTb04, if a victim logged in to the Router's Web Interface visits a malicious site from another Browser tab, the malicious site then can send requests to the victim's Router without knowing the credentials (CSRF). An attacker can host a page that sends a POST request to Form2File.htm that tries to upload Firmware to victim's Router. This causes the router to reboot/crash resulting in Denial of Service. An attacker may succeed in uploading malicious Firmware.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages1 packages

NVDdlink/dir-61520.12ptb01

Patches

Patch: ftp2.dlink.comPatch: ftp2.dlink.com

🔴Vulnerability Details

2
GHSA
GHSA-fjw9-mvg3-xvvg: On the D-Link DIR-615 before v202022-05-24
CVEList
CVE-2017-7404: On the D-Link DIR-615 before v202017-07-07
CVE-2017-7404 (HIGH CVSS 8.8) | On the D-Link DIR-615 before v20.12 | cvebase.io