PT-2019-13421 · D Link · D-Link Dir-655
Published
2019-07-11
·
Updated
2021-04-23
·
CVE-2019-13560
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
D-Link DIR-655 C versions prior to 3.02B05 BETA03
Description
The issue allows remote attackers to force a blank password. This is achieved through the
apply sec.cgi API endpoint, specifically by manipulating the setup wizard parameter.Recommendations
For versions prior to 3.02B05 BETA03, update to version 3.02B05 BETA03 or later to resolve the issue. As a temporary workaround, consider restricting access to the
apply sec.cgi API endpoint to minimize the risk of exploitation. Avoid using the setup wizard parameter in the affected API endpoint until the issue is resolved.Exploit
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
D-Link Dir-655