Dlink Dir-816 Firmware vulnerabilities

70 known vulnerabilities affecting dlink/dir-816_firmware.

Total CVEs
70
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL35HIGH14MEDIUM21

Vulnerabilities

Page 4 of 4
CVE-2021-39509CRITICALCVSS 9.8v1.10cnb05_r1b011d882102021-08-24
CVE-2021-39509 [CRITICAL] CWE-77 CVE-2021-39509: An issue was discovered in D-Link DIR-816 DIR-816A2_FWv1.10CNB05_R1B011D88210 The HTTP request param An issue was discovered in D-Link DIR-816 DIR-816A2_FWv1.10CNB05_R1B011D88210 The HTTP request parameter is used in the handler function of /goform/form2userconfig.cgi route, which can construct the user name string to delete the user function. This can lead to command injection through shell metacharacters.
nvd
CVE-2021-39510CRITICALCVSS 9.8v101cnb042021-08-24
CVE-2021-39510 [CRITICAL] CWE-77 CVE-2021-39510: An issue was discovered in D-Link DIR816_A1_FW101CNB04 750m11ac wireless router, The HTTP request pa An issue was discovered in D-Link DIR816_A1_FW101CNB04 750m11ac wireless router, The HTTP request parameter is used in the handler function of /goform/form2userconfig.cgi route, which can construct the user name string to delete the user function. This can lead to command injection through shell metacharacters.
nvd
CVE-2021-27113CRITICALCVSS 9.8v1.10b052021-04-14
CVE-2021-27113 [CRITICAL] CWE-78 CVE-2021-27113: An issue was discovered in D-Link DIR-816 A2 1.10 B05 devices. An HTTP request parameter is used in An issue was discovered in D-Link DIR-816 A2 1.10 B05 devices. An HTTP request parameter is used in command string construction within the handler function of the /goform/addRouting route. This could lead to Command Injection via Shell Metacharacters.
nvd
CVE-2021-27114CRITICALCVSS 9.8v1.10b052021-04-14
CVE-2021-27114 [CRITICAL] CWE-787 CVE-2021-27114: An issue was discovered in D-Link DIR-816 A2 1.10 B05 devices. Within the handler function of the /g An issue was discovered in D-Link DIR-816 A2 1.10 B05 devices. Within the handler function of the /goform/addassignment route, a very long text entry for the"'s_ip" and "s_mac" fields could lead to a Stack-Based Buffer Overflow and overwrite the return address.
nvd
CVE-2021-26810CRITICALCVSS 9.8v1.10b052021-03-30
CVE-2021-26810 [CRITICAL] CWE-78 CVE-2021-26810: D-link DIR-816 A2 v1.10 is affected by a remote code injection vulnerability. An HTTP request parame D-link DIR-816 A2 v1.10 is affected by a remote code injection vulnerability. An HTTP request parameter can be used in command string construction in the handler function of the /goform/dir_setWanWifi, which can lead to command injection via shell metacharacters in the statuscheckpppoeuser parameter.
nvd
CVE-2019-10041CRITICALCVSS 9.8v1.112019-03-25
CVE-2019-10041 [CRITICAL] CWE-306 CVE-2019-10041: The D-Link DIR-816 A2 1.11 router only checks the random token when authorizing a goform request. An The D-Link DIR-816 A2 1.11 router only checks the random token when authorizing a goform request. An attacker can get this token from dir_login.asp and use an API URL /goform/form2userconfig.cgi to edit the system account without authentication.
nvd
CVE-2019-10040CRITICALCVSS 9.8v1.112019-03-25
CVE-2019-10040 [CRITICAL] CWE-306 CVE-2019-10040: The D-Link DIR-816 A2 1.11 router only checks the random token when authorizing a goform request. An The D-Link DIR-816 A2 1.11 router only checks the random token when authorizing a goform request. An attacker can get this token from dir_login.asp and use a hidden API URL /goform/SystemCommand to execute a system command without authentication.
nvd
CVE-2019-10039CRITICALCVSS 9.8v1.112019-03-25
CVE-2019-10039 [CRITICAL] CWE-306 CVE-2019-10039: The D-Link DIR-816 A2 1.11 router only checks the random token when authorizing a goform request. An The D-Link DIR-816 A2 1.11 router only checks the random token when authorizing a goform request. An attacker can get this token from dir_login.asp and use an API URL /goform/setSysAdm to edit the web or system account without authentication.
nvd
CVE-2019-10042HIGHCVSS 7.5v1.112019-03-25
CVE-2019-10042 [HIGH] CWE-306 CVE-2019-10042: The D-Link DIR-816 A2 1.11 router only checks the random token when authorizing a goform request. An The D-Link DIR-816 A2 1.11 router only checks the random token when authorizing a goform request. An attacker can get this token from dir_login.asp and use an API URL /goform/LoadDefaultSettings to reset the router without authentication.
nvd
CVE-2019-7642HIGHCVSS 7.5v2.062019-03-25
CVE-2019-7642 [HIGH] CWE-306 CVE-2019-7642: D-Link routers with the mydlink feature have some web interfaces without authentication requirements D-Link routers with the mydlink feature have some web interfaces without authentication requirements. An attacker can remotely obtain users' DNS query logs and login logs. Vulnerable targets include but are not limited to the latest firmware versions of DIR-817LW (A1-1.04), DIR-816L (B1-2.06), DIR-816 (B1-2.06?), DIR-850L (A1-1.09), and DIR-868L (A1-1.1
nvd
← Previous4 / 4