CVE-2018-18767 — HIGH (7.0)

Vulnerability Description

An issue was discovered in D-Link 'myDlink Baby App' version 2.04.06. Whenever actions are performed from the app (e.g., change camera settings or play lullabies), it communicates directly with the Wi-Fi camera (D-Link 825L firmware 1.08) with the credentials (username and password) in base64 cleartext. An attacker could conduct an MitM attack on the local network and very easily obtain these credentials.

CVSS Score

7.0

HIGH

CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Dlink	Mydlink Baby Camera Monitor	2.04.06
D-Link	Dcs-825L Firmware	1.08
Dlink	Dcs-825L	-

Related Weaknesses (CWE)

CWE-326

References

https://dojo.bullguard.com/dojo-by-bullguard/blog/i-got-my-eyeon-you-security-vuExploitThird Party Advisory
https://dojo.bullguard.com/dojo-by-bullguard/blog/i-got-my-eyeon-you-security-vuExploitThird Party Advisory

FAQ

What is CVE-2018-18767?

CVE-2018-18767 is a vulnerability with a CVSS score of 7.0 (HIGH). An issue was discovered in D-Link 'myDlink Baby App' version 2.04.06. Whenever actions are performed from the app (e.g., change camera settings or play lullabies), it communicates directly with the Wi...

How severe is CVE-2018-18767?

CVE-2018-18767 has been rated HIGH with a CVSS base score of 7.0/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2018-18767?

Check the references section above for vendor advisories and patch information. Affected products include: Dlink Mydlink Baby Camera Monitor, D-Link Dcs-825L Firmware, Dlink Dcs-825L.