ID
VAR-E-201411-0495
TITLE
D-Link DAP-1360 'index.cgi' Multiple Cross Site Request Forgery and HTML Injection Vulnerabilities
Trust: 0.3
DESCRIPTION
D-Link DAP-1360 is prone to multiple cross-site request-forgery and HTML-injection vulnerabilities.
An attacker can exploit theses issues to perform certain unauthorized actions, execute arbitrary script or HTML code within the context of the browser, and steal cookie-based authentication credentials. Other attacks are also possible
D-Link DAP-1360 firmware version 1.0.0 is vulnerable; other versions may also be affected.
Trust: 0.3
AFFECTED PRODUCTS
| vendor: | d link | model: | dap-1360 | scope: | eq | version: | 1.0.0 | Trust: 0.3 |
EXPLOIT
Attackers can exploit these issues using browser. To exploit the cross-site request-forgery vulnerability, the attacker must entice an unsuspecting victim to visit a specially-crafted webpage.
The following example URI is available:
http://www.example.com/index.cgi?v2=y&rq=y&res_json=y&res_data_type=json&res_config_action=3&res_config_id=41&res_struct_size=0&res_buf=[%22%3Cscript%3Ealert%28document.cookie%29%3C/script%3E%22]
Trust: 0.3
PRICE
Free
Trust: 0.3
TYPE
Input Validation Error
Trust: 0.3
CREDITS
MustLive
Trust: 0.3
EXTERNAL IDS
| db: | BID | id: | 71362 | Trust: 0.3 |
REFERENCES
| url: | http://www.dlink.com/ | Trust: 0.3 |
| url: | http://websecurity.com.ua/7215/ | Trust: 0.3 |
SOURCES
| db: | BID | id: | 71362 |
LAST UPDATE DATE
2022-07-27T09:40:19.017000+00:00
SOURCES UPDATE DATE
| db: | BID | id: | 71362 | date: | 2014-11-27T00:00:00 |
SOURCES RELEASE DATE
| db: | BID | id: | 71362 | date: | 2014-11-27T00:00:00 |