CVE-2019-19598
moderate-risk
Published 2019-12-05
D-Link DAP-1860 devices before v1.04b03 Beta allow access to administrator functions without authentication via the HNAP_AUTH header timestamp value. In HTTP requests, part of the HNAP_AUTH header is the timestamp used to determine the time when the user sent the request. If this value is equal to the value stored in the device's /var/hnap/timestamp file, the request will pass the HNAP_AUTH check function.
Do I need to act?
-
0.52% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.8/10
High
ADJACENT_NETWORK
/ LOW complexity
Affected Products (3)
Affected Vendors
References (4)
Third Party Advisory
https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP1...
Third Party Advisory
https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP1...
38
/ 100
moderate-risk
Severity
27/34 · High
Exploitability
2/34 · Minimal
Exposure
9/34 · Low