First published: Wed Jul 22 2020(Updated: )
An issue was discovered on D-Link DIR-816L devices 2.x before 1.10b04Beta02. There exists an exposed administration function in getcfg.php, which can be used to call various services. It can be utilized by an attacker to retrieve various sensitive information, such as admin login credentials, by setting the value of _POST_SERVICES in the query string to DEVICE.ACCOUNT.
Credit: cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
D-link Dir-816l Firmware | =2.06 | |
D-link Dir-816l Firmware | =2.06.b09-beta | |
Dlink Dir-816l | =b1 | |
Dlink Dir-816l Firmware | =2.06 | |
Dlink Dir-816l Firmware | =2.06.b09-beta |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2020-15894 is a vulnerability found in D-Link DIR-816L devices 2.x before 1.10b04Beta02, which allows an attacker to retrieve sensitive information.
An attacker can exploit CVE-2020-15894 by utilizing the exposed administration function in getcfg.php to call various services and retrieve sensitive information.
CVE-2020-15894 has a severity rating of 7.5 (high).
If you are using D-Link DIR-816L devices 2.x before 1.10b04Beta02 or 2.06 firmware, your device may be affected by CVE-2020-15894.
To fix CVE-2020-15894, it is recommended to update your D-Link DIR-816L device to firmware version 1.10b04Beta02 or newer.