Details of VAR-201904-0617

ID

VAR-201904-0617

CVE

CVE-2018-17989

TITLE

D-Link DSL-3782 Cross-Site Scripting Vulnerability

Trust: 1.2

sources: CNVD: CNVD-2019-14083 // CNNVD: CNNVD-201904-036

DESCRIPTION

A stored XSS vulnerability exists in the web interface on D-Link DSL-3782 devices with firmware 1.01 that allows authenticated attackers to inject a JavaScript or HTML payload inside the ACL page. The injected payload would be executed in a user's browser when "/cgi-bin/New_GUI/Acl.asp" is requested. D-Link DSL-3782 The device contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. D-LinkDSL-3782 is a wireless router from D-Link Corporation of Taiwan, China. A cross-site scripting vulnerability exists in the web interface in D-LinkDSL-3782 using firmware version 1.01. This vulnerability stems from the lack of proper validation of client data by web applications. An attacker could exploit the vulnerability to execute client code

Trust: 2.25

sources: NVD: CVE-2018-17989 // JVNDB: JVNDB-2018-015150 // CNVD: CNVD-2019-14083 // VULHUB: VHN-128503

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2019-14083

AFFECTED PRODUCTS

vendor:	d link	model:	dsl-3782	scope:	eq	version:	1.01	Trust: 1.4
vendor:	dlink	model:	dsl-3782	scope:	eq	version:	1.01	Trust: 1.0

sources: CNVD: CNVD-2019-14083 // JVNDB: JVNDB-2018-015150 // NVD: CVE-2018-17989

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-17989
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2018-17989
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2019-14083
value:	LOW
Trust: 0.6
CNNVD:	CNNVD-201904-036
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-128503
value:	LOW
Trust: 0.1

nvd@nist.gov:	CVE-2018-17989
severity:	LOW
baseScore:	3.5
vectorString:	AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.8
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2019-14083
severity:	LOW
baseScore:	3.5
vectorString:	AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.8
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-128503
severity:	LOW
baseScore:	3.5
vectorString:	AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.8
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2018-17989
baseSeverity:	MEDIUM
baseScore:	5.4
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.3
impactScore:	2.7
version:	3.0
Trust: 1.8

sources: CNVD: CNVD-2019-14083 // VULHUB: VHN-128503 // JVNDB: JVNDB-2018-015150 // CNNVD: CNNVD-201904-036 // NVD: CVE-2018-17989

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.9

sources: VULHUB: VHN-128503 // JVNDB: JVNDB-2018-015150 // NVD: CVE-2018-17989

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201904-036

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201904-036

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-015150

PATCH

title:

DSL-3782

url:

https://eu.dlink.com/pt/pt/products/dsl-3782-wireless-ac1200-dual-band-vdsl-adsl-modem-router

Trust: 0.8

sources: JVNDB: JVNDB-2018-015150

EXTERNAL IDS

db:	NVD	id:	CVE-2018-17989	Trust: 3.1
db:	JVNDB	id:	JVNDB-2018-015150	Trust: 0.8
db:	CNNVD	id:	CNNVD-201904-036	Trust: 0.7
db:	CNVD	id:	CNVD-2019-14083	Trust: 0.6
db:	NSFOCUS	id:	43094	Trust: 0.6
db:	VULHUB	id:	VHN-128503	Trust: 0.1

sources: CNVD: CNVD-2019-14083 // VULHUB: VHN-128503 // JVNDB: JVNDB-2018-015150 // CNNVD: CNNVD-201904-036 // NVD: CVE-2018-17989

REFERENCES

url:	https://c0mix.github.io/2019/d-link-dir-3782-secadvisory-os-command-injection-and-stored-xss/	Trust: 2.5
url:	https://nvd.nist.gov/vuln/detail/cve-2018-17989	Trust: 2.0
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-17989	Trust: 0.8
url:	http://www.nsfocus.net/vulndb/43094	Trust: 0.6

sources: CNVD: CNVD-2019-14083 // VULHUB: VHN-128503 // JVNDB: JVNDB-2018-015150 // CNNVD: CNNVD-201904-036 // NVD: CVE-2018-17989

CREDITS

vendor ??

Trust: 0.6

sources: CNNVD: CNNVD-201904-036

SOURCES

db:	CNVD	id:	CNVD-2019-14083
db:	VULHUB	id:	VHN-128503
db:	JVNDB	id:	JVNDB-2018-015150
db:	CNNVD	id:	CNNVD-201904-036
db:	NVD	id:	CVE-2018-17989

LAST UPDATE DATE

2024-11-23T22:45:03.986000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2019-14083	date:	2019-05-14T00:00:00
db:	VULHUB	id:	VHN-128503	date:	2019-04-02T00:00:00
db:	JVNDB	id:	JVNDB-2018-015150	date:	2019-05-07T00:00:00
db:	CNNVD	id:	CNNVD-201904-036	date:	2019-04-04T00:00:00
db:	NVD	id:	CVE-2018-17989	date:	2024-11-21T03:55:20.553

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2019-14083	date:	2019-05-14T00:00:00
db:	VULHUB	id:	VHN-128503	date:	2019-04-01T00:00:00
db:	JVNDB	id:	JVNDB-2018-015150	date:	2019-05-07T00:00:00
db:	CNNVD	id:	CNNVD-201904-036	date:	2019-04-01T00:00:00
db:	NVD	id:	CVE-2018-17989	date:	2019-04-01T21:29:26.873