CVE-2022-36785: D-Link – G integrated Access Device4 Information Disclosure & Authorization Bypass.
First published: Thu Nov 17 2022(Updated: )
D-Link – G integrated Access Device4 Information Disclosure & Authorization Bypass. *Information Disclosure – file contains a URL with private IP at line 15 "login.asp" A. The window.location.href = http://192.168.1.1/setupWizard.asp" http://192.168.1.1/setupWizard.asp" ; "admin" – contains default username value "login.asp" B. While accessing the web interface, the login form at *Authorization Bypass – URL by "setupWizard.asp' while it blocks direct access to – the web interface does not properly validate user identity variables values located at the client side, it is available to access it without a "login_glag" and "login_status" checking browser and to read the admin user credentials for the web interface.
Credit: cna@cyber.gov.il
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Dlink G Integrated Access Device4 | =1.0 | |
| Dlink G Integrated Access Device4 Firmware |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- agent/author
- agent/type
- agent/event
- agent/first-publish-date
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/references
- agent/title
- agent/weakness
- agent/severity
- agent/description
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-api
- vendor/dlink
- canonical/dlink g integrated access device4
- version/dlink g integrated access device4/1.0
- canonical/dlink g integrated access device4 firmware