CVE-2020-25757
Severity CVSS v4.0:
Pending analysis
Type:
CWE-20
Input Validation
Publication date:
15/12/2020
Last modified:
21/07/2021
Description
A lack of input validation and access controls in Lua CGIs on D-Link DSR VPN routers may result in arbitrary input being passed to system command APIs, resulting in arbitrary command execution with root privileges. This affects DSR-150, DSR-250, DSR-500, and DSR-1000AC with firmware 3.14 and 3.17.
Impact
Base Score 3.x
8.80
Severity 3.x
HIGH
Base Score 2.0
8.30
Severity 2.0
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:dlink:dsr-150_firmware:*:*:*:*:*:*:*:* | 3.17 (including) | |
| cpe:2.3:h:dlink:dsr-150:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:dlink:dsr-150n_firmware:*:*:*:*:*:*:*:* | 3.17 (including) | |
| cpe:2.3:h:dlink:dsr-150n:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:dlink:dsr-250_firmware:*:*:*:*:*:*:*:* | 3.17 (including) | |
| cpe:2.3:h:dlink:dsr-250:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:dlink:dsr-250n_firmware:*:*:*:*:*:*:*:* | 3.17 (including) | |
| cpe:2.3:h:dlink:dsr-250n:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:dlink:dsr-500_firmware:*:*:*:*:*:*:*:* | 3.17 (including) | |
| cpe:2.3:h:dlink:dsr-500:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:dlink:dsr-500n_firmware:*:*:*:*:*:*:*:* | ||
| cpe:2.3:h:dlink:dsr-500n:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:dlink:dsr-500ac_firmware:*:*:*:*:*:*:*:* | 3.17 (including) | |
| cpe:2.3:h:dlink:dsr-500ac:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:dlink:dsr-1000_firmware:*:*:*:*:*:*:*:* | 3.17 (including) |
To consult the complete list of CPE names with products and versions, see this page