Vulnerability Description
D-Link – G integrated Access Device4 Information Disclosure & Authorization Bypass. *Information Disclosure – file contains a URL with private IP at line 15 "login.asp" A. The window.location.href = http://192.168.1.1/setupWizard.asp" http://192.168.1.1/setupWizard.asp" ; "admin" – contains default username value "login.asp" B. While accessing the web interface, the login form at *Authorization Bypass – URL by "setupWizard.asp' while it blocks direct access to – the web interface does not properly validate user identity variables values located at the client side, it is available to access it without a "login_glag" and "login_status" checking browser and to read the admin user credentials for the web interface.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Dlink | G Integrated Access Device4 Firmware | 1.0 |
| Dlink | G Integrated Access Device4 | - |
Related Weaknesses (CWE)
References
- https://www.gov.il/en/Departments/faq/cve_advisoriesThird Party Advisory
- https://www.gov.il/en/Departments/faq/cve_advisoriesThird Party Advisory
FAQ
What is CVE-2022-36785?
CVE-2022-36785 is a vulnerability with a CVSS score of 7.5 (HIGH). D-Link – G integrated Access Device4 Information Disclosure & Authorization Bypass. *Information Disclosure – file contains a URL with private IP at line 15 "login.asp" A. The window.location.href =...
How severe is CVE-2022-36785?
CVE-2022-36785 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-36785?
Check the references section above for vendor advisories and patch information. Affected products include: Dlink G Integrated Access Device4 Firmware, Dlink G Integrated Access Device4.