An issue was discovered on D-Link Central WiFi Manager before v 1.03r0100-Beta1. The ‘username’ parameter of the addUser endpoint is vulnerable to stored XSS.
dlink
CVE-2018-17442
An issue was discovered on D-Link Central WiFi Manager before v 1.03r0100-Beta1. An unrestricted file upload vulnerability in the onUploadLogPic endpoint allows remote authenticated users to execute arbitrary PHP code.
CVE-2018-17443
An issue was discovered on D-Link Central WiFi Manager before v 1.03r0100-Beta1. The ‘sitename’ parameter of the UpdateSite endpoint is vulnerable to stored XSS.
CVE-2018-16605
D-Link DIR-600M devices allow XSS via the Hostname and Username fields in the Dynamic DNS Configuration page.
CVE-2018-16408
D-Link DIR-846 devices with firmware 100.26 allow remote attackers to execute arbitrary code as root via a SetNetworkTomographySettings request by leveraging admin access.
CVE-2018-15875
Cross-site scripting (XSS) vulnerability on D-Link DIR-615 routers 20.07 allows attackers to inject JavaScript into the router’s admin UPnP page via the description field in an AddPortMapping UPnP SOAP request.