Multiple cross-site request forgery (CSRF) vulnerabilities in D-Link DIR-600 router (rev. Bx) with firmware before 2.17b02 allow remote attackers to hijack the authentication of administrators for requests that (1) create an administrator account or (2) enable remote management via a crafted configuration module to hedwig.cgi, (3) activate new configuration settings via a SETCFG,SAVE,ACTIVATE action to pigwidgeon.cgi, or (4) send a ping via a ping action to diagnostic.php.
Published 2015-01-13 11:59:04
Updated 2024-05-18 01:00:01
Source MITRE
View at NVD,   CVE.org
Vulnerability category: Cross-site request forgery (CSRF)

CVE-2014-100005 is in the CISA Known Exploited Vulnerabilities Catalog

CISA vulnerability name:
D-Link DIR-600 Router Cross-Site Request Forgery (CSRF) Vulnerability
CISA required action:
This vulnerability affects legacy D-Link products. All associated hardware revisions have reached their end-of-life (EOL) or end-of-service (EOS) life cycle and should be retired and replaced per vendor instructions.
CISA description:
D-Link DIR-600 routers contain a cross-site request forgery (CSRF) vulnerability that allows an attacker to change router configurations by hijacking an existing administrator session.
Notes:
https://legacy.us.dlink.com/pages/product.aspx?id=4587b63118524aec911191cc81605283
Added on 2024-05-16 Action due date 2024-06-06

Exploit prediction scoring system (EPSS) score for CVE-2014-100005

86.06%
Probability of exploitation activity in the next 30 days EPSS Score History
~ 99 %
Percentile, the proportion of vulnerabilities that are scored at or less

Metasploit modules for CVE-2014-100005

  • D-Link DIR-645 / DIR-815 diagnostic.php Command Execution
    Disclosure Date: 2013-03-05
    First seen: 2020-04-26
    exploit/linux/http/dlink_diagnostic_exec_noauth
    Some D-Link Routers are vulnerable to OS Command injection in the web interface. On DIR-645 versions prior 1.03 authentication isn't needed to exploit it. On version 1.03 authentication is needed in order to trigger the vulnerability, which has been fixed definitel

CVSS scores for CVE-2014-100005

Base Score Base Severity CVSS Vector Exploitability Score Impact Score Score Source First Seen
6.8
MEDIUM AV:N/AC:M/Au:N/C:P/I:P/A:P
8.6
6.4
NIST

CWE ids for CVE-2014-100005

  • The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.
    Assigned by: nvd@nist.gov (Primary)

References for CVE-2014-100005

Products affected by CVE-2014-100005

This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!