Details of VAR-201210-0554

ID

VAR-201210-0554

CVE

CVE-2012-1308

TITLE

D-Link DSL-2640B Firmware redpass.cgi Vulnerable to cross-site request forgery

Trust: 0.8

sources: JVNDB: JVNDB-2012-004823

DESCRIPTION

Cross-site request forgery (CSRF) vulnerability in redpass.cgi in D-Link DSL-2640B Firmware EU_4.00 allows remote attackers to hijack the authentication of administrators for requests that change the administrator password via the sysPassword parameter. D-Link is Taiwan's first publicly traded online company, with its own D-Link brand marketing computer network products in more than 100 countries around the world. Other attacks are also possible. The D-Link DSL-2640B router is prone to a cross-site request-forgery vulnerability. This issue affects D-Link DSL-2640B. D-Link is a network company founded by Taiwan D-Link Group, dedicated to the R&D, production and marketing of LAN, broadband network, wireless network, voice network and related network equipment

Trust: 2.52

sources: NVD: CVE-2012-1308 // JVNDB: JVNDB-2012-004823 // CNVD: CNVD-2012-0804 // BID: 52096 // VULHUB: VHN-54589

IOT TAXONOMY

category:

['IoT', 'Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2012-0804

AFFECTED PRODUCTS

vendor:	dlink	model:	dsl-2640b	scope:	eq	version:	4.00	Trust: 1.6
vendor:	dlink	model:	dsl-2640b	scope:	eq	version:	-	Trust: 1.0
vendor:	d link	model:	dsl-2640b	scope:	eq	version:	0	Trust: 0.9
vendor:	d link	model:	dsl-2640b	scope:	-	version:	-	Trust: 0.8
vendor:	d link	model:	dsl-2640b	scope:	eq	version:	eu_4.00	Trust: 0.8

sources: CNVD: CNVD-2012-0804 // BID: 52096 // JVNDB: JVNDB-2012-004823 // CNNVD: CNNVD-201202-426 // NVD: CVE-2012-1308

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2012-1308
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2012-1308
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201202-426
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-54589
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2012-1308
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-54589
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-54589 // JVNDB: JVNDB-2012-004823 // CNNVD: CNNVD-201202-426 // NVD: CVE-2012-1308

PROBLEMTYPE DATA

problemtype:

CWE-352

Trust: 1.9

sources: VULHUB: VHN-54589 // JVNDB: JVNDB-2012-004823 // NVD: CVE-2012-1308

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201202-426

TYPE

cross-site request forgery

Trust: 0.6

sources: CNNVD: CNNVD-201202-426

CONFIGURATIONS

sources: JVNDB: JVNDB-2012-004823

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-54589

PATCH

title:	DSL-2640B	url:	http://www.dlink.com/us/en/home-solutions/connect/modems-and-gateways/dsl-2640b-adsl-2-wireless-g-router-with-4-port-10-100-switch	Trust: 0.8
title:	D-Link DSL-2640B 'redpass.cgi' patch for cross-site request forgery vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/10592	Trust: 0.6

sources: CNVD: CNVD-2012-0804 // JVNDB: JVNDB-2012-004823

EXTERNAL IDS

db:	NVD	id:	CVE-2012-1308	Trust: 2.8
db:	BID	id:	52096	Trust: 2.6
db:	EXPLOIT-DB	id:	18499	Trust: 1.7
db:	JVNDB	id:	JVNDB-2012-004823	Trust: 0.8
db:	CNNVD	id:	CNNVD-201202-426	Trust: 0.7
db:	CNVD	id:	CNVD-2012-0804	Trust: 0.6
db:	XF	id:	2640	Trust: 0.6
db:	XF	id:	73316	Trust: 0.6
db:	SEEBUG	id:	SSVID-72593	Trust: 0.1
db:	VULHUB	id:	VHN-54589	Trust: 0.1

sources: CNVD: CNVD-2012-0804 // VULHUB: VHN-54589 // BID: 52096 // JVNDB: JVNDB-2012-004823 // CNNVD: CNNVD-201202-426 // NVD: CVE-2012-1308

REFERENCES

url:	http://www.securityfocus.com/bid/52096	Trust: 2.3
url:	http://www.exploit-db.com/exploits/18499	Trust: 1.7
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/73316	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2012-1308	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2012-1308	Trust: 0.8
url:	http://xforce.iss.net/xforce/xfdb/73316	Trust: 0.6
url:	http://www.d-link.com/products/?pid=567	Trust: 0.3
url:	http://www.d-link.com	Trust: 0.3

sources: CNVD: CNVD-2012-0804 // VULHUB: VHN-54589 // BID: 52096 // JVNDB: JVNDB-2012-004823 // CNNVD: CNNVD-201202-426 // NVD: CVE-2012-1308

CREDITS

Ivano Binetti

Trust: 0.9

sources: BID: 52096 // CNNVD: CNNVD-201202-426

SOURCES

db:	CNVD	id:	CNVD-2012-0804
db:	VULHUB	id:	VHN-54589
db:	BID	id:	52096
db:	JVNDB	id:	JVNDB-2012-004823
db:	CNNVD	id:	CNNVD-201202-426
db:	NVD	id:	CVE-2012-1308

LAST UPDATE DATE

2024-08-14T14:52:40.609000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2012-0804	date:	2012-02-22T00:00:00
db:	VULHUB	id:	VHN-54589	date:	2017-08-29T00:00:00
db:	BID	id:	52096	date:	2012-10-10T18:10:00
db:	JVNDB	id:	JVNDB-2012-004823	date:	2012-10-11T00:00:00
db:	CNNVD	id:	CNNVD-201202-426	date:	2012-02-23T00:00:00
db:	NVD	id:	CVE-2012-1308	date:	2017-08-29T01:31:16.273

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2012-0804	date:	2012-02-22T00:00:00
db:	VULHUB	id:	VHN-54589	date:	2012-10-08T00:00:00
db:	BID	id:	52096	date:	2012-02-21T00:00:00
db:	JVNDB	id:	JVNDB-2012-004823	date:	2012-10-11T00:00:00
db:	CNNVD	id:	CNNVD-201202-426	date:	1900-01-01T00:00:00
db:	NVD	id:	CVE-2012-1308	date:	2012-10-08T18:55:01.200