HomePentest-Tools.com Logo

D-Link DAP-1522 <= 1.42 Authentication Bypass Vulnerability CVE-2020-15896

Severity
CVSSv3 Score
7.5
Vulnerability description

D-Link DAP-1522 is prone to an authentication bypass vulnerability.

Risk description

There exist a few pages that are directly accessible by any unauthorized user, e.g. logout.php and login.php. This occurs because of checking the value of NO_NEED_AUTH. If the value of NO_NEED_AUTH is 1, the user has direct access to the webpage without any authentication. By appending a query string NO_NEED_AUTH with the value of 1 to any protected URL, any unauthorized user can access the application directly, as demonstrated by bsc_lan.php?NO_NEED_AUTH=1.

Recommendation

No solution was made available by the vendor. General solution options are to upgrade to a newer release, disable respective features, remove the product or replace the product by another one. The vendor states: DAP-1522 (EOS: 07/01/2016) have reached its End-of-Support (EOS) / End-of-Life (EOL) Date. As a general policy, when the product reaches EOS/EOL, it can no longer be supported, and all firmware development for the product ceases, except in certain unique situations.

Codename
Not available
Detectable with
Network Scanner
Scan engine
OpenVAS
Exploitable with Sniper
No
CVE Published
Jul 22, 2020
Detection added at
Software Type
Not available
Vendor
Not available
Product
Not available