A security issue exists in D-Link D-View 8 v2.0.2.89 and prior that could allow an attacker to manipulate the probe inventory of the D-View service. This could result in the disclosure of information from other probes, denial of service conditions due to the probe inventory becoming full, or the execution of tasks on other probes.
An attacker, without any authentication and from any network location, can manipulate the probe inventory managed by the D-View service. Lack of proper input validation (CWE-20) allows unauthorized registration or modification of probe entries. As a result, the inventory can be overflowed, leading to denial of service conditions, or the attacker can impersonate another probe and take over task execution.
An attacker can gain access to information collected by other probes (confidentiality breach), cause denial of service by overflowing the probe inventory (DoS), and execute tasks on behalf of other probes — which may lead to unauthorized actions in the managed network.
Apply patches available from the vendor according to the references. Additionally, it is recommended to restrict network access to the D-View service only to trusted hosts using a firewall and to monitor activity in the probe inventory.
D-Link D-View 8 versions 2.0.2.89 and earlier
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HDlink D View 8
APPDlink2.0.2.89
Related vulnerabilities
D-Link D-View 8 — pominięcie uwierzytelnienia przez zakodowany klucz kryptograficzny
D-Link D-View: RCE przez ujawnioną niebezpieczną funkcję w coreservice_action_script
D-Link D-View: RCE przez path traversal w TftpReceiveFileHandler
D-Link D-View: pominięcie uwierzytelnienia przez hardkodowany klucz kryptograficzny
D-Link D-View: hardcoded credentials umożliwiają bypass uwierzytelnienia