CVE-2024-40505
Path Traversal: '.../...//' (CWE-35)
Summary
Directory Traversal vulnerability in D-Link DAP-1650 Firmware v.1.03 allows a local attacker to escalate privileges via the hedwig.cgi component.
Impact
This vulnerability has a high severity with a CVSS v3.1 base score of 9.3. It allows a local attacker to escalate privileges, potentially gaining unauthorized access to sensitive information, modifying system configurations, or disrupting system availability. The impact is severe across confidentiality, integrity, and availability, all rated as HIGH. The scope is CHANGED, indicating that the vulnerability can affect resources beyond its security scope.
Exploitation
There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.
Patch
As of the vulnerability data provided, there is no mention of an available patch. The firmware version affected is v.1.03 of the D-Link DAP-1650 device.
Mitigation
While no specific mitigation is mentioned in the provided data, general recommendations for directory traversal vulnerabilities include: 1. Update the firmware to a patched version if and when it becomes available. 2. Implement strict input validation and sanitization for the hedwig.cgi component. 3. Apply the principle of least privilege to limit potential damage from successful exploits. 4. Monitor and log access attempts to the affected component for signs of exploitation. 5. Consider network segmentation to isolate affected devices if patching is not immediately possible.
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Timeline
Feedly found the first article mentioning CVE-2024-40505. See article
Feedly estimated the CVSS score as MEDIUM
NVD published the first details for CVE-2024-40505
EPSS Score was set to: 0.04% (Percentile: 9.3%)
A CVSS base score of 9.3 has been assigned.