D-Link – G integrated Access Device4 Information Disclosure & Authorization Bypass.
*Information Disclosure –
file contains a URL with private IP at line 15 "login.asp" A. The
window.location.href = http://192.168.1.1/setupWizard.asp" http://192.168.1.1/setupWizard.asp" ;
"admin" – contains default username value "login.asp" B. While accessing the web interface, the login form at
*Authorization Bypass –
URL by "setupWizard.asp' while it blocks direct access to – the web interface does not properly validate user identity variables values located at the client side, it is available to access it without a "login_glag" and "login_status" checking browser and to read the admin user credentials for the web interface.
References
Link | Resource |
---|---|
https://www.gov.il/en/Departments/faq/cve_advisories | Third Party Advisory |
Configurations
Configuration 1 (hide)
AND |
|
History
25 Oct 2023, 18:17
Type | Values Removed | Values Added |
---|---|---|
Summary | D-Link – G integrated Access Device4 Information Disclosure & Authorization Bypass. *Information Disclosure – file contains a URL with private IP at line 15 "login.asp" A. The window.location.href = http://192.168.1.1/setupWizard.asp" http://192.168.1.1/setupWizard.asp" ; "admin" – contains default username value "login.asp" B. While accessing the web interface, the login form at *Authorization Bypass – URL by "setupWizard.asp' while it blocks direct access to – the web interface does not properly validate user identity variables values located at the client side, it is available to access it without a "login_glag" and "login_status" checking browser and to read the admin user credentials for the web interface. |
22 Nov 2022, 17:09
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:h:dlink:g_integrated_access_device4:-:*:*:*:*:*:*:* cpe:2.3:o:dlink:g_integrated_access_device4_firmware:1.0:*:*:*:*:*:*:* |
|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.5 |
CWE | CWE-863 | |
References | (MISC) https://www.gov.il/en/Departments/faq/cve_advisories - Third Party Advisory | |
First Time |
Dlink
Dlink g Integrated Access Device4 Dlink g Integrated Access Device4 Firmware |
17 Nov 2022, 23:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2022-11-17 23:15
Updated : 2023-12-10 14:48
NVD link : CVE-2022-36785
Mitre link : CVE-2022-36785
CVE.ORG link : CVE-2022-36785
JSON object : View
Products Affected
dlink
- g_integrated_access_device4_firmware
- g_integrated_access_device4
CWE
CWE-863
Incorrect Authorization