CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Vulnerability Details : CVE-2017-7852

D-Link DCS cameras have a weak/insecure CrossDomain.XML file that allows sites hosting malicious Flash objects to access and/or change the device's settings via a CSRF attack. This is because of the 'allow-access-from domain' child element set to *, thus accepting requests from any domain. If a victim logged into the camera's web console visits a malicious site hosting a malicious Flash file from another Browser tab, the malicious Flash file then can send requests to the victim's DCS series Camera without knowing the credentials. An attacker can host a malicious Flash file that can retrieve Live Feeds or information from the victim's DCS series Camera, add new admin users, or make other changes to the device. Known affected devices are DCS-933L with firmware before 1.13.05, DCS-5030L, DCS-5020L, DCS-2530L, DCS-2630L, DCS-930L, DCS-932L, and DCS-932LB1.
Publish Date : 2017-04-24 Last Update Date : 2017-05-08
Search Twitter   Search YouTube   Search Google

- CVSS Scores & Vulnerability Types

CVSS Score
6.8
Confidentiality Impact Partial (There is considerable informational disclosure.)
Integrity Impact Partial (Modification of some system files or information is possible, but the attacker does not have control over what can be modified, or the scope of what the attacker can affect is limited.)
Availability Impact Partial (There is reduced performance or interruptions in resource availability.)
Access Complexity Medium (The access conditions are somewhat specialized. Some preconditions must be satistified to exploit)
Authentication Not required (Authentication is not required to exploit the vulnerability.)
Gained Access None
Vulnerability Type(s) CSRF
CWE ID 352

- Products Affected By CVE-2017-7852

# Product Type Vendor Product Version Update Edition Language
1 OS D-link Dcs-2132l Firmware 1.08.01 Version Details Vulnerabilities
2 OS D-link Dcs-2132l Firmware 2.12.00 Version Details Vulnerabilities
3 OS D-link Dcs-2136l Firmware 1.04.01 Version Details Vulnerabilities
4 OS D-link Dcs-2210l Firmware 1.03.01 Version Details Vulnerabilities
5 OS D-link Dcs-2230l Firmware 1.03.01 Version Details Vulnerabilities
6 OS D-link Dcs-2310l Firmware 1.08.01 Version Details Vulnerabilities
7 OS D-link Dcs-2310l Firmware 2.03.00 Version Details Vulnerabilities
8 OS D-link Dcs-2330l Firmware 1.13.00 Version Details Vulnerabilities
9 OS D-link Dcs-2332l Firmware 1.08.01 Version Details Vulnerabilities
10 OS D-link Dcs-2530l Firmware 1.00.21 Version Details Vulnerabilities
11 OS D-link Dcs-5000l Firmware 1.02.02 Version Details Vulnerabilities
12 OS D-link Dcs-5009l Firmware 1.07.05 Version Details Vulnerabilities
13 OS D-link Dcs-5010l Firmware 1.13.05 Version Details Vulnerabilities
14 OS D-link Dcs-5020l Firmware 1.13.05 Version Details Vulnerabilities
15 OS D-link Dcs-5025l Firmware 1.02.10 Version Details Vulnerabilities
16 OS D-link Dcs-5029l Firmware 1.12.00 Version Details Vulnerabilities
17 OS D-link Dcs-5030l Firmware 1.01.06 Version Details Vulnerabilities
18 OS D-link Dcs-5222l Firmware 2.12.00 Version Details Vulnerabilities
19 OS D-link Dcs-6010l Firmware 1.15.01 Version Details Vulnerabilities
20 OS D-link Dcs-6212l Firmware 1.00.12 Version Details Vulnerabilities
21 OS D-link Dcs-7000l Firmware 1.04.00 Version Details Vulnerabilities
22 OS D-link Dcs-7010l Firmware 1.08.01 Version Details Vulnerabilities
23 OS D-link Dcs-930l Firmware 1.15.04 Version Details Vulnerabilities
24 OS D-link Dcs-930l Firmware 2.13.15 Version Details Vulnerabilities
25 OS D-link Dcs-931l Firmware 1.13.05 Version Details Vulnerabilities
26 OS D-link Dcs-932l Firmware 1.13.04 Version Details Vulnerabilities
27 OS D-link Dcs-932l Firmware 2.13.15 Version Details Vulnerabilities
28 OS D-link Dcs-933l Firmware 1.13.05 Version Details Vulnerabilities
29 OS D-link Dcs-934l Firmware 1.04.15 Version Details Vulnerabilities
30 OS D-link Dcs-942l Firmware 1.27 Version Details Vulnerabilities
31 OS D-link Dcs-942l Firmware 2.11.03 Version Details Vulnerabilities

- Number Of Affected Versions By Product

Vendor Product Vulnerable Versions
D-link Dcs-2132l Firmware 2
D-link Dcs-2136l Firmware 1
D-link Dcs-2210l Firmware 1
D-link Dcs-2230l Firmware 1
D-link Dcs-2310l Firmware 2
D-link Dcs-2330l Firmware 1
D-link Dcs-2332l Firmware 1
D-link Dcs-2530l Firmware 1
D-link Dcs-5000l Firmware 1
D-link Dcs-5009l Firmware 1
D-link Dcs-5010l Firmware 1
D-link Dcs-5020l Firmware 1
D-link Dcs-5025l Firmware 1
D-link Dcs-5029l Firmware 1
D-link Dcs-5030l Firmware 1
D-link Dcs-5222l Firmware 1
D-link Dcs-6010l Firmware 1
D-link Dcs-6212l Firmware 1
D-link Dcs-7000l Firmware 1
D-link Dcs-7010l Firmware 1
D-link Dcs-930l Firmware 2
D-link Dcs-931l Firmware 1
D-link Dcs-932l Firmware 2
D-link Dcs-933l Firmware 1
D-link Dcs-934l Firmware 1
D-link Dcs-942l Firmware 2

- References For CVE-2017-7852

https://www.qualys.com/2017/02/22/qsa-2017-02-22/qsa-2017-02-22.pdf

- Vulnerability Conditions

Vulnerability is valid if product versions listed below are used TOGETHER WITH(AND)
Vulnerability is valid if product versions listed below are used TOGETHER WITH(AND)
Vulnerability is valid if product versions listed below are used TOGETHER WITH(AND)
Vulnerability is valid if product versions listed below are used TOGETHER WITH(AND)
Vulnerability is valid if product versions listed below are used TOGETHER WITH(AND)
Vulnerability is valid if product versions listed below are used TOGETHER WITH(AND)
Vulnerability is valid if product versions listed below are used TOGETHER WITH(AND)
Vulnerability is valid if product versions listed below are used TOGETHER WITH(AND)
Vulnerability is valid if product versions listed below are used TOGETHER WITH(AND)
Vulnerability is valid if product versions listed below are used TOGETHER WITH(AND)
Vulnerability is valid if product versions listed below are used TOGETHER WITH(AND)
Vulnerability is valid if product versions listed below are used TOGETHER WITH(AND)
Vulnerability is valid if product versions listed below are used TOGETHER WITH(AND)
Vulnerability is valid if product versions listed below are used TOGETHER WITH(AND)
Vulnerability is valid if product versions listed below are used TOGETHER WITH(AND)
Vulnerability is valid if product versions listed below are used TOGETHER WITH(AND)
Vulnerability is valid if product versions listed below are used TOGETHER WITH(AND)
Vulnerability is valid if product versions listed below are used TOGETHER WITH(AND)
Vulnerability is valid if product versions listed below are used TOGETHER WITH(AND)
Vulnerability is valid if product versions listed below are used TOGETHER WITH(AND)
Vulnerability is valid if product versions listed below are used TOGETHER WITH(AND)
Vulnerability is valid if product versions listed below are used TOGETHER WITH(AND)
Vulnerability is valid if product versions listed below are used TOGETHER WITH(AND)
Vulnerability is valid if product versions listed below are used TOGETHER WITH(AND)
Vulnerability is valid if product versions listed below are used TOGETHER WITH(AND)
Vulnerability is valid if product versions listed below are used TOGETHER WITH(AND)
Vulnerability is valid if product versions listed below are used TOGETHER WITH(AND)
Vulnerability is valid if product versions listed below are used TOGETHER WITH(AND)
Vulnerability is valid if product versions listed below are used TOGETHER WITH(AND)
Vulnerability is valid if product versions listed below are used TOGETHER WITH(AND)
Vulnerability is valid if product versions listed below are used TOGETHER WITH(AND)

- Metasploit Modules Related To CVE-2017-7852

There are not any metasploit modules related to this CVE entry (Please visit www.metasploit.com for more information)


CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.