Missing Authentication for Critical Function

CVE-2019-7390

High

8.6/10

Summary

An issue was discovered in /bin/goahead on D-Link DIR-823G devices with firmware 1.02B03. There is incorrect access control allowing remote attackers to hijack the DNS service configuration of all clients in the WLAN, without authentication, via the SetWanSettings HNAP API.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: HIGH
Scope: CHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: NONE
Availability Impact: NONE

CWE-306 - Missing Authentication for Critical Function

The software does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

References

Advisory Timeline

Published Feb 05, 2019

Missing Authentication for Critical Function

CVE-2019-7390

Summary

CWE-306 - Missing Authentication for Critical Function

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS