Skip to main content

Dir 816L Firmware CVE-2015-5999

MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2015-11-18 cret@cert.org
6.8
CVSS 2.0 · NVD
Share

Severity by source

NVD PRIMARY
6.8 MEDIUM
AV:N/AC:M/Au:N/C:P/I:P/A:P

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

AV:N/AC:M/Au:N/C:P/I:P/A:P
Attack Vector
Network
Attack Complexity
M
Confidentiality
P
Integrity
P
Availability
P

Lifecycle Timeline

1
CVE Published
Nov 18, 2015 - 16:59 cve.org
MEDIUM 6.8

DescriptionCVE.org

Multiple cross-site request forgery (CSRF) vulnerabilities in the D-Link DIR-816L Wireless Router with firmware before 2.06.B09_BETA allow remote attackers to hijack the authentication of administrators for requests that (1) change the admin password, (2) change the network policy, or (3) possibly have other unspecified impact via crafted requests to hedwig.cgi and pigwidgeon.cgi.

AnalysisAI

Multiple cross-site request forgery (CSRF) vulnerabilities in the D-Link DIR-816L Wireless Router with firmware before 2.06.B09_BETA allow remote attackers to hijack the authentication of. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Public exploit code available and EPSS exploitation probability 14.4%.

Technical ContextAI

This vulnerability is classified as Cross-Site Request Forgery (CSRF) (CWE-352), which allows attackers to trick authenticated users into performing unintended actions. Multiple cross-site request forgery (CSRF) vulnerabilities in the D-Link DIR-816L Wireless Router with firmware before 2.06.B09_BETA allow remote attackers to hijack the authentication of administrators for requests that (1) change the admin password, (2) change the network policy, or (3) possibly have other unspecified impact via crafted requests to hedwig.cgi and pigwidgeon.cgi. Affected products include: Dlink Dir-816L Firmware. Version information: before 2.06..

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Implement anti-CSRF tokens, validate Origin/Referer headers, use SameSite cookie attribute.

CVE-2020-15893 CRITICAL POC
9.8 Jul 22

An issue was discovered on D-Link DIR-816L devices 2.x before 1.10b04Beta02. Rated critical severity (CVSS 9.8), this vu

CVE-2022-28956 CRITICAL POC
9.8 May 18

An issue in the getcfg.php component of D-Link DIR816L_FW206b01 allows attackers to access the device via a crafted payl

CVE-2022-28955 HIGH POC
7.5 May 18

An access control issue in D-Link DIR816L_FW206b01 allows unauthenticated attackers to access folders folder_view.php an

CVE-2019-7642 HIGH POC
7.5 Mar 25

D-Link routers with the mydlink feature have some web interfaces without authentication requirements. Rated high severit

CVE-2020-25786 MEDIUM POC
6.1 Sep 19

webinc/js/info.php on D-Link DIR-816L 2.06.B09_BETA and DIR-803 1.04.B02 devices allows XSS via the HTTP Referer header.

CVE-2020-15895 MEDIUM POC
6.1 Jul 22

An XSS issue was discovered on D-Link DIR-816L devices 2.x before 1.10b04Beta02. Rated medium severity (CVSS 6.1), this

CVE-2020-15894 HIGH
7.5 Jul 22

An issue was discovered on D-Link DIR-816L devices 2.x before 1.10b04Beta02. Rated high severity (CVSS 7.5), this vulner

CVE-2025-7836 LOW POC
2.1 Jul 19

Command injection in D-Link DIR-816L firmware up to version 2.06B01 allows authenticated remote attackers to execute arb

CVE-2025-13191 HIGH POC
7.4 Nov 15

A vulnerability was determined in D-Link DIR-816L 2_06_b09_beta.cgi. Rated high severity (CVSS 7.4), this vulnerability

CVE-2025-13190 HIGH POC
7.4 Nov 15

A vulnerability was found in D-Link DIR-816L 2_06_b09_beta. Rated high severity (CVSS 7.4), this vulnerability is remote

CVE-2025-13189 HIGH POC
7.4 Nov 15

A vulnerability has been found in D-Link DIR-816L 2_06_b09_beta. Rated high severity (CVSS 7.4), this vulnerability is r

CVE-2025-13188 HIGH POC
8.9 Nov 14

A vulnerability was detected in D-Link DIR-816L 2_06_b09_beta. Rated high severity (CVSS 8.9), this vulnerability is rem

Share

CVE-2015-5999 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy