Описание
D-Link D-View 8 versions 2.0.1.107 and below contain an improper access control vulnerability in backend API endpoints. Any authenticated user can supply an arbitrary user_id value to retrieve sensitive credential data belonging to other users, including super administrators. The exposed credential material can be reused directly as a valid authentication secret, allowing full impersonation of the targeted account. This results in complete account takeover and full administrative control over the D-View system.
Уязвимые конфигурации
EPSS
8.8 High
CVSS3
Дефекты
Связанные уязвимости
D-Link D-View 8 versions 2.0.1.107 and below contain an improper access control vulnerability in backend API endpoints. Any authenticated user can supply an arbitrary user_id value to retrieve sensitive credential data belonging to other users, including super administrators. The exposed credential material can be reused directly as a valid authentication secret, allowing full impersonation of the targeted account. This results in complete account takeover and full administrative control over the D-View system.
Уязвимость программной платформы комплексного сетевого управления D-Link D-View, связанная с обходом авторизации посредством ключа, контролируемого пользователем, позволяющая нарушителю получить полный контроль над учетной записью и системой
EPSS
8.8 High
CVSS3