Details of VAR-201907-1066

ID

VAR-201907-1066

CVE

CVE-2017-8406

TITLE

D-Link DCS-1130 Device cross-site request forgery vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2017-014557

DESCRIPTION

An issue was discovered on D-Link DCS-1130 devices. The device provides a crossdomain.xml file with no restrictions on who can access the webserver. This allows an hosted flash file on any domain to make calls to the device's webserver and pull any information that is stored on the device. In this case, user's credentials are stored in clear text on the device and can be pulled easily. It also seems that the device does not implement any cross-site scripting forgery protection mechanism which allows an attacker to trick a user who is logged in to the web management interface into executing a cross-site flashing attack on the user's browser and execute any action on the device provided by the web management interface which steals the credentials from tools_admin.cgi file's response and displays it inside a Textfield. D-Link DCS-1130 The device contains a cross-site request forgery vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. D-LinkDCS-1130 is a network camera of D-Link Corporation of Taiwan, China. There is a security hole in D-LinkDCS-1130. The attacker can use this vulnerability to steal the credentials of the administrative user, control the device as the admin user, execute arbitrary code or modify the user password

Trust: 2.34

sources: NVD: CVE-2017-8406 // JVNDB: JVNDB-2017-014557 // CNVD: CNVD-2019-23341 // VULHUB: VHN-116609 // VULMON: CVE-2017-8406

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2019-23341

AFFECTED PRODUCTS

vendor:	dlink	model:	dcs-1130	scope:	eq	version:	-	Trust: 1.0
vendor:	d link	model:	dcs-1130	scope:	-	version:	-	Trust: 0.8
vendor:	d link	model:	dcs-1130 no	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2019-23341 // JVNDB: JVNDB-2017-014557 // NVD: CVE-2017-8406

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-8406
value:	HIGH
Trust: 1.0
NVD:	CVE-2017-8406
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2019-23341
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201907-129
value:	HIGH
Trust: 0.6
VULHUB:	VHN-116609
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2017-8406
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2017-8406
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
CNVD:	CNVD-2019-23341
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-116609
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2017-8406
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2017-8406
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2019-23341 // VULHUB: VHN-116609 // VULMON: CVE-2017-8406 // JVNDB: JVNDB-2017-014557 // CNNVD: CNNVD-201907-129 // NVD: CVE-2017-8406

PROBLEMTYPE DATA

problemtype:

CWE-352

Trust: 1.9

sources: VULHUB: VHN-116609 // JVNDB: JVNDB-2017-014557 // NVD: CVE-2017-8406

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201907-129

TYPE

cross-site request forgery

Trust: 0.6

sources: CNNVD: CNNVD-201907-129

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-014557

PATCH

title:	Top Page	url:	https://www.dlink.com/en/consumer	Trust: 0.8
title:	IoT_vulnerabilities	url:	https://github.com/ethanhunnt/IoT_vulnerabilities	Trust: 0.1

sources: VULMON: CVE-2017-8406 // JVNDB: JVNDB-2017-014557

EXTERNAL IDS

db:	NVD	id:	CVE-2017-8406	Trust: 3.3
db:	PACKETSTORM	id:	153226	Trust: 1.9
db:	JVNDB	id:	JVNDB-2017-014557	Trust: 0.8
db:	CNNVD	id:	CNNVD-201907-129	Trust: 0.7
db:	CNVD	id:	CNVD-2019-23341	Trust: 0.6
db:	VULHUB	id:	VHN-116609	Trust: 0.1
db:	VULMON	id:	CVE-2017-8406	Trust: 0.1

sources: CNVD: CNVD-2019-23341 // VULHUB: VHN-116609 // VULMON: CVE-2017-8406 // JVNDB: JVNDB-2017-014557 // PACKETSTORM: 153226 // CNNVD: CNNVD-201907-129 // NVD: CVE-2017-8406

REFERENCES

url:	https://github.com/ethanhunnt/iot_vulnerabilities/blob/master/dlink_dcs_1130_security.pdf	Trust: 2.6
url:	http://packetstormsecurity.com/files/153226/dlink-dcs-1130-command-injection-csrf-stack-overflow.html	Trust: 2.4
url:	https://nvd.nist.gov/vuln/detail/cve-2017-8406	Trust: 2.1
url:	https://seclists.org/bugtraq/2019/jun/8	Trust: 1.8
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-8406	Trust: 0.8
url:	https://cwe.mitre.org/data/definitions/352.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://github.com/ethanhunnt/iot_vulnerabilities	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-8408	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-8413	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-8405	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-8410	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-8412	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-8409	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-8415	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-8417	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-8404	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-8416	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-8411	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-8407	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-8414	Trust: 0.1

CREDITS

Mandar Satam

Trust: 0.1

sources: PACKETSTORM: 153226

SOURCES

db:	CNVD	id:	CNVD-2019-23341
db:	VULHUB	id:	VHN-116609
db:	VULMON	id:	CVE-2017-8406
db:	JVNDB	id:	JVNDB-2017-014557
db:	PACKETSTORM	id:	153226
db:	CNNVD	id:	CNNVD-201907-129
db:	NVD	id:	CVE-2017-8406

LAST UPDATE DATE

2024-11-23T21:37:04.531000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2019-23341	date:	2019-07-19T00:00:00
db:	VULHUB	id:	VHN-116609	date:	2019-07-09T00:00:00
db:	VULMON	id:	CVE-2017-8406	date:	2021-04-26T00:00:00
db:	JVNDB	id:	JVNDB-2017-014557	date:	2019-07-10T00:00:00
db:	CNNVD	id:	CNNVD-201907-129	date:	2021-04-27T00:00:00
db:	NVD	id:	CVE-2017-8406	date:	2024-11-21T03:33:58.360

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2019-23341	date:	2019-07-18T00:00:00
db:	VULHUB	id:	VHN-116609	date:	2019-07-02T00:00:00
db:	VULMON	id:	CVE-2017-8406	date:	2019-07-02T00:00:00
db:	JVNDB	id:	JVNDB-2017-014557	date:	2019-07-10T00:00:00
db:	PACKETSTORM	id:	153226	date:	2019-06-07T15:06:02
db:	CNNVD	id:	CNNVD-201907-129	date:	2019-07-02T00:00:00
db:	NVD	id:	CVE-2017-8406	date:	2019-07-02T20:15:10.967