Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2017-7852

CWE-352Cross-Site Request Forgery (CSRF)4 documents4 sources
Severity
8.8HIGH
EPSS
0.9%
top 24.57%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
26
Dlink Dcs-2132l FirmwareDlink Dcs-2136l FirmwareDlink Dcs-2210l Firmware+23 more
Timeline
PublishedApr 24
Latest updateMay 13

Description

D-Link DCS cameras have a weak/insecure CrossDomain.XML file that allows sites hosting malicious Flash objects to access and/or change the device's settings via a CSRF attack. This is because of the 'allow-access-from domain' child element set to *, thus accepting requests from any domain. If a victim logged into the camera's web console visits a malicious site hosting a malicious Flash file from another Browser tab, the malicious Flash file then can send requests to the victim's DCS series Came

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages26 packages

🔴Vulnerability Details

2
GHSA
GHSA-773f-3254-99j9: D-Link DCS cameras have a weak/insecure CrossDomain2022-05-13
CVEList
CVE-2017-7852: D-Link DCS cameras have a weak/insecure CrossDomain2017-04-24

💥Exploits & PoCs

1
Exploit-DB
D-Link DCS Series Cameras - Insecure Crossdomain2017-02-22
CVE-2017-7852 (HIGH CVSS 8.8) | D-Link DCS cameras have a weak/inse | cvebase.io