CVE-2023-5153

25.09.2023, 03:15

** UNSUPPORTED WHEN ASSIGNED ** A vulnerability, which was classified as critical, was found in D-Link DAR-8000 up to 20151231. This affects an unknown part of the file /Tool/querysql.php. The manipulation leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-240249 was assigned to this vulnerability. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed immediately that the product is end-of-life. It should be retired and replaced.

SQL Injection

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	6.3 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
VulDB	CNA	6.3 MEDIUM				CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CISA-ADP	ADP	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 61%

Vendor	Product	Version
dlink	dar-7000_firmware	𝑥 ≤ 2015-12-31

𝑥

= Vulnerable software versions

Known Exploits!

Common Weakness Enumeration

CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.

References

https://github.com/llixixi/cve/blob/main/D-LINK-DAR-8000-10_sql_%20querysql.md

https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10354

https://vuldb.com/?ctiid.240249

https://vuldb.com/?id.240249

https://github.com/llixixi/cve/blob/main/D-LINK-DAR-8000-10_sql_%20querysql.md

https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10354

https://vuldb.com/?ctiid.240249

https://vuldb.com/?id.240249