CVE-2017-7852

Name of the Vulnerable Software and Affected Versions D-Link DCS-933L versions prior to 1.13.05 D-Link DCS-5030L D-Link DCS-5020L D-Link DCS-2530L D-Link DCS-2630L D-Link DCS-930L D-Link DCS-932L D-Link DCS-932LB1

Description The issue allows sites hosting malicious Flash objects to access and/or change the device's settings via a CSRF attack due to a weak/insecure CrossDomain.XML file. This file has the 'allow-access-from domain' child element set to *, accepting requests from any domain. If a victim logged into the camera's web console visits a malicious site hosting a malicious Flash file, the malicious file can send requests to the victim's DCS series Camera without knowing the credentials. An attacker can retrieve Live Feeds or information from the victim's DCS series Camera, add new admin users, or make other changes to the device.

Recommendations For D-Link DCS-933L, update the firmware to version 1.13.05 or later. For D-Link DCS-5030L, D-Link DCS-5020L, D-Link DCS-2530L, D-Link DCS-2630L, D-Link DCS-930L, D-Link DCS-932L, and D-Link DCS-932LB1, at the moment, there is no information about a newer version that contains a fix for this issue.