CVE-2020-27863

Name of the Vulnerable Software and Affected Versions D-Link DVA-2800 versions prior to firmware version 2.3 D-Link DSL-2888A versions prior to firmware version 2.3

Description This issue allows network-adjacent attackers to disclose sensitive information on affected installations of D-Link routers. Authentication is not required to exploit this issue. The specific flaw exists within the dhttpd service, which listens on TCP port 8008 by default. The issue results from incorrect string matching logic when accessing protected pages. An attacker can leverage this issue to disclose stored credentials, leading to further compromise.

Recommendations For D-Link DVA-2800 versions prior to firmware version 2.3, update to firmware version 2.3 or later to resolve the issue. For D-Link DSL-2888A versions prior to firmware version 2.3, update to firmware version 2.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the dhttpd service on TCP port 8008 until a patch is available.