PT-2024-3223 · D Link · D-Link Dap-2310+9
Fekirine Djallal
·
Published
2024-04-22
·
Updated
2024-11-05
·
CVE-2024-28436
CVSS v2.0
10
High
| Vector | AV:N/AC:L/Au:N/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
D-Link DAP products versions DAP-2230, DAP-2310, DAP-2330, DAP-2360, DAP-2553, DAP-2590, DAP-2690, DAP-2695, DAP-3520, DAP-3662
Description
The issue is related to a Cross Site Scripting vulnerability in the session login.php component of D-Link DAP products. This vulnerability can be exploited by a remote attacker to execute arbitrary code via the
reload parameter. The exploitation may allow the attacker to conduct inter-site scripting attacks.Recommendations
For D-Link DAP products versions DAP-2230, DAP-2310, DAP-2330, DAP-2360, DAP-2553, DAP-2590, DAP-2690, DAP-2695, DAP-3520, DAP-3662, consider disabling the
session login.php component or restricting access to the reload parameter until a patch is available.
As a temporary workaround, avoid using the reload parameter in the affected API endpoint until the issue is resolved.Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
D-Link Dap-2230
D-Link Dap-2310
D-Link Dap-2330
D-Link Dap-2360
D-Link Dap-2553
D-Link Dap-2590
D-Link Dap-2690
D-Link Dap-2695
D-Link Dap-3520
D-Link Dap-3662