How severe is CVE-2020-15892?

This vulnerability has a severity rating of CRITICAL with a CVSS score of 9.8 out of 10.

What type of vulnerability is CVE-2020-15892?

This is classified as CWE-669, which is a common weakness in software security.

CVE-2020-15892 - CRITICAL Severity | CVSS 9.8

Vulnerability Description

An issue was discovered in apply.cgi on D-Link DAP-1520 devices before 1.10b04Beta02. Whenever a user performs a login action from the web interface, the request values are being forwarded to the ssi binary. On the login page, the web interface restricts the password input field to a fixed length of 15 characters. The problem is that validation is being done on the client side, hence it can be bypassed. When an attacker manages to intercept the login request (POST based) and tampers with the vulnerable parameter (log_pass), to a larger length, the request will be forwarded to the webserver. This results in a stack-based buffer overflow. A few other POST variables, (transferred as part of the login request) are also vulnerable: html_response_page and log_user.

Related Vulnerabilities

CVE-2016-5062

CRITICAL

CVSS:9.8(Critical)

The web server in Aternity before 9.0.1 does not require authentication for getMBeansFromURL loading of Java MBeans, which allows remote attackers to execute arbitrary Java code by registering MBeans.

CWE-6692016

CVE-2020-5800

CRITICAL

CVSS:9.8(Critical)

The Eat Spray Love mobile app for both iOS and Android contains logic that allows users to bypass authentication and retrieve or modify information that they would not normally have access to.

CWE-6692020

CVE-2023-31114

CRITICAL

CVSS:9.1(Critical)

An issue was discovered in the Shannon RCS component in Samsung Exynos Modem 5123 and 5300. Incorrect resource transfer between spheres can cause unintended querying of the SIM status via a crafted ap...

CWE-6692023

CVE-2019-1020011

CRITICAL

CVSS:9.0(Critical)

SmokeDetector intentionally does automatic deployments of updated copies of SmokeDetector without server operator authority.

CWE-6692019

CVE-2019-11875

HIGH

CVSS:8.8(High)

In AutomateAppCore.dll in Blue Prism Robotic Process Automation 6.4.0.8445, a vulnerability in access control can be exploited to escalate privileges. The vulnerability allows for abusing the applicat...

CWE-6692019

CVE-2019-13263

HIGH

CVSS:8.8(High)

D-link DIR-825AC G1 devices have Insufficient Compartmentalization between a host network and a guest network that are established by the same device. A DHCP Request is sent to the router with a certa...

CWE-6692019