CVE-2017-3192

CRITICAL

D-link Dir-130 Firmware - Insufficiently Protected Credentials

Title source: rule

Description

D-Link DIR-130 firmware version 1.23 and DIR-330 firmware version 1.12 do not sufficiently protect administrator credentials. The tools_admin.asp page discloses the administrator password in base64 encoding in the returned web page. A remote attacker with access to this page (potentially through a authentication bypass such as CVE-2017-3191) may obtain administrator credentials for the device.

References (4)

[Issue Tracking, Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/123292

[Issue Tracking, Third Party Advisory, US Government Resource] https://www.kb.cert.org/vuls/id/553503

[Third Party Advisory] https://www.scmagazine.com/d-link-dir-130-and-dir-330-routers-vulnerable/article/644553/

[Issue Tracking, Third Party Advisory] https://www.wilderssecurity.com/threads/d-link-dir-130-and-dir-330-are-vulnerable-to-authentication-bypass-and-do-not-protect-credentials.392703/

Scores

CVSS v3 9.8

EPSS 0.2769

EPSS Percentile 96.4%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-522

Status draft

Affected Products (2)

d-link/dir-130_firmware

d-link/dir-330_firmware

Timeline

Published Dec 16, 2017

Tracked Since Feb 18, 2026