CVE-2014-7860

moderate-risk

Published 2017-08-25

The web/web_file/fb_publish.php script in D-Link DNS-320L before 1.04b12 and DNS-327L before 1.03b04 Build0119 does not authenticate requests, which allows remote attackers to obtain arbitrary photos and publish them to an arbitrary Facebook profile via a target album_id and access_token.

Do I need to act?

0.64% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.3/10 Medium

NETWORK / LOW complexity

Affected Products (2)

Dns-327L Firmware

Dns-320L Firmware

Affected Vendors

D-Link

References (10)

Third Party Advisory http://packetstormsecurity.com/files/132075/D-Link-Bypass-Buffer-Overflow.html

Mailing List http://seclists.org/fulldisclosure/2015/May/125

Technical Description http://www.search-lab.hu/media/D-Link_Security_advisory_3_0_public.pdf

http://www.securityfocus.com/archive/1/535626/100/200/threaded

Third Party Advisory http://www.securityfocus.com/bid/74884

Third Party Advisory http://packetstormsecurity.com/files/132075/D-Link-Bypass-Buffer-Overflow.html

Mailing List http://seclists.org/fulldisclosure/2015/May/125

Technical Description http://www.search-lab.hu/media/D-Link_Security_advisory_3_0_public.pdf

http://www.securityfocus.com/archive/1/535626/100/200/threaded

Third Party Advisory http://www.securityfocus.com/bid/74884

/ 100

moderate-risk

Severity 21/34 · High

Exploitability 2/34 · Minimal

Exposure 7/34 · Low