First published: Wed Apr 14 2021(Updated: )
This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of D-Link DAP-2020 v1.01rc001 Wi-Fi access points. Authentication is not required to exploit this vulnerability. The specific flaw exists within the processing of CGI scripts. When parsing the errorpage request parameter, the process does not properly validate a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-11856.
Credit: zdi-disclosures@trendmicro.com zdi-disclosures@trendmicro.com
Affected Software | Affected Version | How to fix |
---|---|---|
D-Link DAP-2020 | =1.01-rc001 | |
D-Link DAP-2020 | ||
D-Link DAP-2020 | =1.01-rc001 | |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2021-27250 is a vulnerability that allows network-adjacent attackers to disclose sensitive information on affected installations of D-Link DAP-2020 Wi-Fi access points.
No, authentication is not required to exploit this vulnerability.
Network-adjacent attackers can exploit CVE-2021-27250 by sending malicious requests to the affected D-Link DAP-2020 v1.01rc001 Wi-Fi access points.
CVE-2021-27250 has a severity rating of 6.5 (medium).
To fix CVE-2021-27250, users should update their D-Link DAP-2020 firmware to version 1.01rc001 or higher as recommended by the vendor.