CVE-2018-7698

EUVD-2018-19414
An issue was discovered in D-Link mydlink+ 3.8.5 build 259 for DCS-933L 1.05.04 and DCS-934L 1.05.04 devices. The mydlink+ app sends the username and password for connected D-Link cameras (such as DCS-933L and DCS-934L) unencrypted from the app to the camera, allowing attackers to obtain these credentials and gain control of the camera including the ability to view the camera's stream and make changes without the user's knowledge.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.1 HIGH
NETWORK
HIGH
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 52%
Affected Products (NVD)
VendorProductVersion
d-linkmydlink\+
3.8.5
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://blog.nickleghorn.com/2019/06/16/d-link-security-cameras-using-mydlink-app-leak-passwords/
https://blog.nickleghorn.com/2019/06/16/d-link-security-cameras-using-mydlink-app-leak-passwords/