Details of VAR-201405-0646

ID

VAR-201405-0646

CVE

CVE-2014-3226

TITLE

D-Link DWC-1000 Directory Traversal Vulnerability

Trust: 0.9

sources: BID: 67470 // CNNVD: CNNVD-201405-349

DESCRIPTION

D-Link DWC-1000 'thispage' has a directory traversal vulnerability, because the input submitted to platform.cgi via the \"thispage\" POST parameter is not fully filtered before being used to read the file, allowing remote attackers to exploit the vulnerability through directory traversal and The NULL byte of the URL encoding reads the contents of any file in the system. D-Link DWC-1000 is an enterprise router product of D-Link. D-Link DWC-1000 4.2.0.6_WW and earlier versions have a directory traversal vulnerability. An attacker could use this vulnerability to gain access to arbitrary files. D-Link DWC-1000 is prone to a directory-traversal vulnerability. Information harvested may aid in launching further attacks

Trust: 1.35

sources: CNVD: CNVD-2014-03155 // CNNVD: CNNVD-201405-349 // BID: 67470

IOT TAXONOMY

category:

['IoT', 'Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2014-03155

AFFECTED PRODUCTS

vendor:	d link	model:	dwc-1000	scope:	-	version:	-	Trust: 0.6
vendor:	d link	model:	dwc-1000 4.2.0.6 ww	scope:	-	version:	-	Trust: 0.3
vendor:	d link	model:	dwc-1000 4.2.0.6b303 ww	scope:	ne	version:	-	Trust: 0.3

sources: CNVD: CNVD-2014-03155 // BID: 67470

CVSS

SEVERITY

CVSSV2

CVSSV3

CNVD:	CNVD-2014-03155
value:	MEDIUM
Trust: 0.6

CNVD:	CNVD-2014-03155
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

sources: CNVD: CNVD-2014-03155

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201405-349

TYPE

path traversal

Trust: 1.2

sources: CNNVD: CNNVD-201405-349 // CNNVD: CNNVD-201408-062

PATCH

title:

D-Link DWC-1000 'thispage' directory traversal vulnerability patch

url:

https://www.cnvd.org.cn/patchinfo/show/45761

Trust: 0.6

sources: CNVD: CNVD-2014-03155

EXTERNAL IDS

db:	DLINK	id:	SAP10026	Trust: 1.5
db:	BID	id:	67470	Trust: 0.9
db:	CNVD	id:	CNVD-2014-03155	Trust: 0.6
db:	CNNVD	id:	CNNVD-201405-349	Trust: 0.6
db:	NVD	id:	CVE-2014-3226	Trust: 0.6
db:	SECUNIA	id:	58560	Trust: 0.6
db:	CNNVD	id:	CNNVD-201408-062	Trust: 0.6

sources: CNVD: CNVD-2014-03155 // BID: 67470 // CNNVD: CNNVD-201405-349 // CNNVD: CNNVD-201408-062

REFERENCES

url:	http://securityadvisories.dlink.com/security/publication.aspx?name=sap10026	Trust: 1.5
url:	http://www.securityfocus.com/bid/67470	Trust: 0.6
url:	http://secunia.com/advisories/58560	Trust: 0.6
url:	http://www.dlink.com/us/en/business-solutions/wireless/unified-wireless/wireless-controllers/dwc-1000-d-link-wireless-controller	Trust: 0.3
url:	http://www.d-link.com	Trust: 0.3

sources: CNVD: CNVD-2014-03155 // BID: 67470 // CNNVD: CNNVD-201405-349 // CNNVD: CNNVD-201408-062

CREDITS

Holistic Security Consulting Gmbh

Trust: 0.9

sources: BID: 67470 // CNNVD: CNNVD-201405-349

SOURCES

db:	CNVD	id:	CNVD-2014-03155
db:	BID	id:	67470
db:	CNNVD	id:	CNNVD-201405-349
db:	CNNVD	id:	CNNVD-201408-062

LAST UPDATE DATE

2022-05-04T09:30:14.152000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2014-03155	date:	2014-05-22T00:00:00
db:	BID	id:	67470	date:	2014-05-10T00:00:00
db:	CNNVD	id:	CNNVD-201405-349	date:	2014-05-22T00:00:00
db:	CNNVD	id:	CNNVD-201408-062	date:	2014-08-06T00:00:00

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2014-03155	date:	2014-05-21T00:00:00
db:	BID	id:	67470	date:	2014-05-10T00:00:00
db:	CNNVD	id:	CNNVD-201405-349	date:	2014-05-22T00:00:00
db:	CNNVD	id:	CNNVD-201408-062	date:	2014-05-16T00:00:00