Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Dsr\-250_firmware
(Dlink)Repositories |
Unknown: This might be proprietary software. |
#Vulnerabilities | 8 |
Date | Id | Summary | Products | Score | Patch | Annotated |
---|---|---|---|---|---|---|
2013-12-19 | CVE-2013-5946 | The runShellCmd function in systemCheck.htm in D-Link DSR-150 with firmware before 1.08B44; DSR-150N with firmware before 1.05B64; DSR-250 and DSR-250N with firmware before 1.08B44; and DSR-500, DSR-500N, DSR-1000, and DSR-1000N with firmware before 1.08B77 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) "Ping or Trace an IP Address" or (2) "Perform a DNS Lookup" section. | Dsr\-1000, Dsr\-1000_firmware, Dsr\-1000n, Dsr\-1000n_firmware, Dsr\-150, Dsr\-150_firmware, Dsr\-150n, Dsr\-150n_firmware, Dsr\-250, Dsr\-250_firmware, Dsr\-250n_firmware, Dsr\-500, Dsr\-500_firmware, Dsr\-500n, Dsr\-500n_firmware | N/A | ||
2013-12-19 | CVE-2013-7004 | D-Link DSR-150 with firmware before 1.08B44; DSR-150N with firmware before 1.05B64; DSR-250 and DSR-250N with firmware before 1.08B44; and DSR-500, DSR-500N, DSR-1000, and DSR-1000N with firmware before 1.08B77 have a hardcoded account of username gkJ9232xXyruTRmY, which makes it easier for remote attackers to obtain access by leveraging knowledge of the username. | Dsr\-1000, Dsr\-1000_firmware, Dsr\-1000n, Dsr\-1000n_firmware, Dsr\-150, Dsr\-150_firmware, Dsr\-150n, Dsr\-150n_firmware, Dsr\-250, Dsr\-250_firmware, Dsr\-250n_firmware, Dsr\-500, Dsr\-500_firmware, Dsr\-500n, Dsr\-500n_firmware | N/A | ||
2013-12-19 | CVE-2013-7005 | D-Link DSR-150 with firmware before 1.08B44; DSR-150N with firmware before 1.05B64; DSR-250 and DSR-250N with firmware before 1.08B44; and DSR-500, DSR-500N, DSR-1000, and DSR-1000N with firmware before 1.08B77 stores account passwords in cleartext, which allows local users to obtain sensitive information by reading the Users[#]["Password"] fields in /tmp/teamf1.cfg.ascii. | Dsr\-1000, Dsr\-1000_firmware, Dsr\-1000n, Dsr\-1000n_firmware, Dsr\-150, Dsr\-150_firmware, Dsr\-150n, Dsr\-150n_firmware, Dsr\-250, Dsr\-250_firmware, Dsr\-250n_firmware, Dsr\-500, Dsr\-500_firmware, Dsr\-500n, Dsr\-500n_firmware | N/A | ||
2020-12-15 | CVE-2020-25757 | A lack of input validation and access controls in Lua CGIs on D-Link DSR VPN routers may result in arbitrary input being passed to system command APIs, resulting in arbitrary command execution with root privileges. This affects DSR-150, DSR-250, DSR-500, and DSR-1000AC with firmware 3.14 and 3.17. | Dsr\-1000_firmware, Dsr\-1000ac_firmware, Dsr\-1000n_firmware, Dsr\-150_firmware, Dsr\-150n_firmware, Dsr\-250_firmware, Dsr\-250n_firmware, Dsr\-500_firmware, Dsr\-500ac_firmware, Dsr\-500n_firmware | 8.8 | ||
2020-12-15 | CVE-2020-25759 | An issue was discovered on D-Link DSR-250 3.17 devices. Certain functionality in the Unified Services Router web interface could allow an authenticated attacker to execute arbitrary commands, due to a lack of validation of inputs provided in multipart HTTP POST requests. | Dsr\-1000_firmware, Dsr\-1000ac_firmware, Dsr\-1000n_firmware, Dsr\-150_firmware, Dsr\-150n_firmware, Dsr\-250_firmware, Dsr\-250n_firmware, Dsr\-500_firmware, Dsr\-500ac_firmware, Dsr\-500n_firmware | 8.8 | ||
2021-02-02 | CVE-2020-18568 | The D-Link DSR-250 (3.14) DSR-1000N (2.11B201) UPnP service contains a command injection vulnerability, which can cause remote command execution. | Dsr\-1000n_firmware, Dsr\-250_firmware | 9.8 | ||
2020-02-11 | CVE-2013-5945 | Multiple SQL injection vulnerabilities in D-Link DSR-150 with firmware before 1.08B44; DSR-150N with firmware before 1.05B64; DSR-250 and DSR-250N with firmware before 1.08B44; and DSR-500, DSR-500N, DSR-1000, and DSR-1000N with firmware before 1.08B77 allow remote attackers to execute arbitrary SQL commands via the password to (1) the login.authenticate function in share/lua/5.1/teamf1lualib/login.lua or (2) captivePortal.lua. | Dsr\-1000_firmware, Dsr\-1000n_firmware, Dsr\-150_firmware, Dsr\-150n_firmware, Dsr\-250_firmware, Dsr\-250n_firmware, Dsr\-500_firmware, Dsr\-500n_firmware | 9.8 | ||
2020-12-15 | CVE-2020-25758 | An issue was discovered on D-Link DSR-250 3.17 devices. Insufficient validation of configuration file checksums could allow a remote, authenticated attacker to inject arbitrary crontab entries into saved configurations before uploading. These entries are executed as root. | Dsr\-1000_firmware, Dsr\-1000ac_firmware, Dsr\-1000n_firmware, Dsr\-150_firmware, Dsr\-150n_firmware, Dsr\-250_firmware, Dsr\-250n_firmware, Dsr\-500_firmware, Dsr\-500ac_firmware, Dsr\-500n_firmware | 8.8 |