Sign-up

ID

VAR-201807-0343


CVE

CVE-2018-12103


TITLE

D-Link DIR-890L A2 Device access control vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2018-007682

DESCRIPTION

An issue was discovered on D-Link DIR-890L with firmware 1.21B02beta01 and earlier, DIR-885L/R with firmware 1.21B03beta01 and earlier, and DIR-895L/R with firmware 1.21B04beta04 and earlier devices (all hardware revisions). Due to the predictability of the /docs/captcha_(number).jpeg URI, being local to the network, but unauthenticated to the administrator's panel, an attacker can disclose the CAPTCHAs used by the access point and can elect to load the CAPTCHA of their choosing, leading to unauthorized login attempts to the access point. D-Link DIR-890L A2 The device contains an access control vulnerability.Information may be tampered with. D-LinkDIR-890L is a wireless router product of D-Link. D-LinkDIR-890LA2 has an improper access control vulnerability. Authorized login attempts the access point. A security vulnerability exists in the D-Link DIR-890L A2. [Suggested description] An issue was discovered on D-Link DIR-890L A2 devices. ------------------------------------------ [Has vendor confirmed or acknowledged the vulnerability?] true ------------------------------------------ [Discoverer] Kevin Randall

Trust: 2.34

sources: NVD: CVE-2018-12103 // JVNDB: JVNDB-2018-007682 // CNVD: CNVD-2018-12491 // VULHUB: VHN-122029 // PACKETSTORM: 148393

IOT TAXONOMY

category:['ICS', 'Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2018-12491

AFFECTED PRODUCTS

vendor:d linkmodel:dir-890l a2scope: - version: -

Trust: 1.4

vendor:d linkmodel:dir-885l\/rscope:lteversion:1.21b03beta01

Trust: 1.0

vendor:dlinkmodel:dir-890lscope:lteversion:1.21b02beta01

Trust: 1.0

vendor:d linkmodel:dir-895l\/rscope:lteversion:1.21b04beta01

Trust: 1.0

vendor:d linkmodel:dir-890l a2scope:eqversion: -

Trust: 0.6

sources: CNVD: CNVD-2018-12491 // JVNDB: JVNDB-2018-007682 // CNNVD: CNNVD-201807-320 // NVD: CVE-2018-12103

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-12103
value: MEDIUM

Trust: 1.0

NVD: CVE-2018-12103
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2018-12491
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201807-320
value: MEDIUM

Trust: 0.6

VULHUB: VHN-122029
value: LOW

Trust: 0.1

nvd@nist.gov: CVE-2018-12103
severity: LOW
baseScore: 3.3
vectorString: AV:A/AC:L/AU:N/C:N/I:P/A:N
accessVector: ADJACENT_NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.5
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2018-12491
severity: MEDIUM
baseScore: 4.9
vectorString: AV:L/AC:L/AU:N/C:C/I:N/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-122029
severity: LOW
baseScore: 3.3
vectorString: AV:A/AC:L/AU:N/C:N/I:P/A:N
accessVector: ADJACENT_NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.5
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2018-12103
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
attackVector: ADJACENT
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 3.6
version: 3.0

Trust: 1.8

sources: CNVD: CNVD-2018-12491 // VULHUB: VHN-122029 // JVNDB: JVNDB-2018-007682 // CNNVD: CNNVD-201807-320 // NVD: CVE-2018-12103

PROBLEMTYPE DATA

problemtype:CWE-863

Trust: 1.1

problemtype:CWE-284

Trust: 0.9

sources: VULHUB: VHN-122029 // JVNDB: JVNDB-2018-007682 // NVD: CVE-2018-12103

THREAT TYPE

remote or local

Trust: 0.6

sources: CNNVD: CNNVD-201807-320

TYPE

access control error

Trust: 0.6

sources: CNNVD: CNNVD-201807-320

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-007682

PATCH
title:Top Pageurl:http://us.dlink.com/
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2018-007682

EXTERNAL IDS
db:NVDid:CVE-2018-12103
Trust: 3.2
db:DLINKid:SAP10099
Trust: 1.7
db:JVNDBid:JVNDB-2018-007682
Trust: 0.8
db:CNNVDid:CNNVD-201807-320
Trust: 0.7
db:CNVDid:CNVD-2018-12491
Trust: 0.6
db:PACKETSTORMid:148393
Trust: 0.2
db:VULHUBid:VHN-122029
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2018-12491 // 
            
            
            
            VULHUB: VHN-122029 // 
            
            
            
            JVNDB: JVNDB-2018-007682 // 
            
            
            
            PACKETSTORM: 148393 // 
            
            
            
            CNNVD: CNNVD-201807-320 // 
            
            
            
            NVD: CVE-2018-12103

REFERENCES
url:http://seclists.org/fulldisclosure/2018/jul/13
Trust: 3.1
url:https://securityadvisories.dlink.com/announcement/publication.aspx?name=sap10099
Trust: 1.7
url:https://nvd.nist.gov/vuln/detail/cve-2018-12103
Trust: 0.9
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-12103
Trust: 0.8
sources:
            
            
            CNVD: CNVD-2018-12491 // 
            
            
            
            VULHUB: VHN-122029 // 
            
            
            
            JVNDB: JVNDB-2018-007682 // 
            
            
            
            PACKETSTORM: 148393 // 
            
            
            
            CNNVD: CNNVD-201807-320 // 
            
            
            
            NVD: CVE-2018-12103

CREDITS
Kevin Randall
Trust: 0.1
sources:
            
            
            PACKETSTORM: 148393

SOURCES
db:CNVDid:CNVD-2018-12491
db:VULHUBid:VHN-122029
db:JVNDBid:JVNDB-2018-007682
db:PACKETSTORMid:148393
db:CNNVDid:CNNVD-201807-320
db:NVDid:CVE-2018-12103

LAST UPDATE DATE
2024-11-23T22:52:02.919000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2018-12491date:2018-07-04T00:00:00
db:VULHUBid:VHN-122029date:2019-10-03T00:00:00
db:JVNDBid:JVNDB-2018-007682date:2018-09-21T00:00:00
db:CNNVDid:CNNVD-201807-320date:2019-10-08T00:00:00
db:NVDid:CVE-2018-12103date:2024-11-21T03:44:36.390

SOURCES RELEASE DATE
db:CNVDid:CNVD-2018-12491date:2018-07-04T00:00:00
db:VULHUBid:VHN-122029date:2018-07-05T00:00:00
db:JVNDBid:JVNDB-2018-007682date:2018-09-21T00:00:00
db:PACKETSTORMid:148393date:2018-07-02T19:48:01
db:CNNVDid:CNNVD-201807-320date:2018-07-06T00:00:00
db:NVDid:CVE-2018-12103date:2018-07-05T20:29:00.433