CVE-2020-15894
HIGHD-Link DIR-816L Firmware 2.x - Unauthenticated Sensitive Information Exposure via getcfg.php DEVICE.ACCOUNT
Title source: llmDescription
An issue was discovered on D-Link DIR-816L devices 2.x before 1.10b04Beta02. There exists an exposed administration function in getcfg.php, which can be used to call various services. It can be utilized by an attacker to retrieve various sensitive information, such as admin login credentials, by setting the value of _POST_SERVICES in the query string to DEVICE.ACCOUNT.
References (2)
Core 2
Core References
Patch, Vendor Advisory x_refsource_misc
https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10169
Third Party Advisory x_refsource_misc
https://research.loginsoft.com/bugs/multiple-vulnerabilities-discovered-in-the-d-link-firmware-dir-816l/
Scores
CVSS v3
7.5
EPSS
0.0127
EPSS Percentile
79.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-306
Status
published
Products (2)
dlink/dir-816l_firmware
2.06
dlink/dir-816l_firmware
2.06.b09 beta
Published
Jul 22, 2020
Tracked Since
Feb 18, 2026