CVE-2019-19598

Опубликовано: 05 дек. 2019

Источник: nvd

CVSS3: 8.8

CVSS2: 8.3

EPSS Низкий

Описание

D-Link DAP-1860 devices before v1.04b03 Beta allow access to administrator functions without authentication via the HNAP_AUTH header timestamp value. In HTTP requests, part of the HNAP_AUTH header is the timestamp used to determine the time when the user sent the request. If this value is equal to the value stored in the device's /var/hnap/timestamp file, the request will pass the HNAP_AUTH check function.

Ссылки

https://chung96vn.wordpress.com/2019/11/15/d-link-dap-1860-vulnerabilities/
Exploit
Third Party Advisory
https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10135
Third Party Advisory
https://chung96vn.wordpress.com/2019/11/15/d-link-dap-1860-vulnerabilities/
Exploit
Third Party Advisory
https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10135
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одновременно

Одно из

cpe:2.3:o:dlink:dap-1860_firmware:1.01b06:*:*:*:*:*:*:*

cpe:2.3:o:dlink:dap-1860_firmware:1.02b01:*:*:*:*:*:*:*

cpe:2.3:o:dlink:dap-1860_firmware:1.04b01:*:*:*:*:*:*:*

cpe:2.3:h:dlink:dap-1860:-:*:*:*:*:*:*:*

EPSS

Процентиль: 59%

0.00374

Низкий

8.8 High

CVSS3

8.3 High

CVSS2

Дефекты

CWE-287

Связанные уязвимости

GHSA-vh9x-535j-rc7j

github

больше 3 лет назад