(0Day) D-Link D-View showUsers Improper Authorization Privilege Escalation Vulnerability

October 4th, 2023
ZDI-23-1508 ZDI-CAN-19535

CVE ID

CVE-2023-44410

CVSS Score

8.8 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Vendors

D-Link

Affected Products

D-View

Vulnerability Details

This vulnerability allows remote attackers to escalate privileges on affected installations of D-Link D-View. Authentication is required to exploit this vulnerability.

The specific flaw exists within the showUsers method. The issue results from the lack of proper authorization before accessing a privileged endpoint. An attacker can leverage this vulnerability to escalate privileges to resources normally protected from the user.

Additional Details

12/23/22 – The ZDI reported the vulnerability to the vendor.

08/25/23 – ZDI asked for an update.

08/30/23 – The vendor states they don’t have the case on record.

08/31/23 – ZDI forwarded the original report to the vendor.

09/29/23 – The ZDI informed the vendor that the case will be published as a zero-day advisory on 10/04/23.

-- Mitigation: Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the application.


Disclosure Timeline

  • 2022-12-23 - Vulnerability reported to vendor
  • 2023-10-04 - Coordinated public release of advisory

Credit

Andrea Micalizzi aka rgod

Back to Advisories