2021-08-04 05:25:54 +00:00
id : CVE-2018-15517
info :
2022-05-13 20:26:43 +00:00
name : D-Link Central WifiManager - Server-Side Request Forgery
2022-04-22 10:38:41 +00:00
author : gy741
severity : high
2022-05-17 09:18:12 +00:00
description : D-Link Central WifiManager is susceptible to server-side request forgery. The MailConnect feature on D-Link Central WiFiManager CWM-100 1.03 r0098 devices is intended to check a connection to an SMTP server but actually allows outbound TCP to any port on any IP address, as demonstrated by an index.php/System/MailConnect/host/127.0.0.1/port/22/secure/ URI. This can undermine accountability of where scan or connections actually came from and or bypass the FW etc. This can be automated via script or using a browser.
2023-09-06 12:57:14 +00:00
remediation : |
Apply the latest security patches or updates provided by D-Link to fix the SSRF vulnerability in Central WifiManager.
2021-08-04 05:25:54 +00:00
reference :
- http://hyp3rlinx.altervista.org/advisories/DLINK-CENTRAL-WIFI-MANAGER-CWM-100-SERVER-SIDE-REQUEST-FORGERY.txt
2022-04-07 13:53:15 +00:00
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15517
2022-05-17 09:18:12 +00:00
- http://seclists.org/fulldisclosure/2018/Nov/28
- http://packetstormsecurity.com/files/150243/D-LINK-Central-WifiManager-CWM-100-1.03-r0098-Server-Side-Request-Forgery.html
2021-09-10 11:26:40 +00:00
classification :
cvss-metrics : CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
2022-04-22 10:38:41 +00:00
cvss-score : 8.6
2021-09-10 11:26:40 +00:00
cve-id : CVE-2018-15517
cwe-id : CWE-918
2023-07-11 19:49:27 +00:00
epss-score : 0.01414
2023-10-27 16:34:45 +00:00
epss-percentile : 0.85034
2023-09-06 12:57:14 +00:00
cpe : cpe:2.3:a:dlink:central_wifimanager:1.03:r0098:*:*:*:*:*:*
2023-04-28 08:11:21 +00:00
metadata :
max-request : 1
2023-07-11 19:49:27 +00:00
vendor : dlink
product : central_wifimanager
tags : seclists,packetstorm,cve,cve2018,dlink,ssrf,oast
2021-08-04 05:25:54 +00:00
2023-04-27 04:28:59 +00:00
http :
2021-08-04 05:25:54 +00:00
- method : GET
path :
- "{{BaseURL}}/index.php/System/MailConnect/host/{{interactsh-url}}/port/80/secure/"
matchers :
- type : word
part : interactsh_protocol # Confirms the HTTP Interaction
words :
- "http"
2023-10-27 08:59:57 +00:00
# digest: 4a0a00473045022100ec753b21e3806485e25346d4bf4d1d3e29f2c23b14baa7218cb09cbca387872202201af0ba3396b5809b41e54269f13639f5a9478b7678f18b893d56110acc1e81fb:922c64590222798bb761d5b6d8e72950