漏洞标题
N/A
漏洞描述信息
在D-Link DIR-615 v20.12PTb04之前,一旦验证通过,该设备基于其机器的IP地址识别用户。通过伪造 victim 主机的IP地址,攻击者可能能够在无需提示验证令牌的情况下接管管理会话。攻击者可以通过简单地捕获网络流量来获得受害者和路由器的IP地址。此外,如果受害者在他的路由器上启用了Web访问,并从 Behind NAT/Proxy 的不同的网络访问Web界面,攻击者可以捕获网络流量以了解受害者路由器的公共IP地址,然后接管其会话,因为他将无需提示令牌。
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
漏洞类别
N/A
漏洞标题
N/A
漏洞描述信息
On the D-Link DIR-615 before v20.12PTb04, once authenticated, this device identifies the user based on the IP address of his machine. By spoofing the IP address belonging to the victim's host, an attacker might be able to take over the administrative session without being prompted for authentication credentials. An attacker can get the victim's and router's IP addresses by simply sniffing the network traffic. Moreover, if the victim has web access enabled on his router and is accessing the web interface from a different network that is behind the NAT/Proxy, an attacker can sniff the network traffic to know the public IP address of the victim's router and take over his session as he won't be prompted for credentials.
CVSS信息
N/A
漏洞类别
N/A
漏洞标题
D-Link DIR-615 授权问题漏洞
漏洞描述信息
D-Link DIR-615是中国台湾友讯(D-Link)公司的一款无线路由器。 D-Link DIR-615 20.12PTb04之前的版本中存在授权问题漏洞。攻击者可通过嗅探网络流量利用该漏洞获取用户和路由器的IP地址,甚至获取public IP地址并接管用户会话。
CVSS信息
N/A
漏洞类别
授权问题