Skip to main content

D-Link DCS-6010L CVE-2025-8155

LOW
Cross-site Scripting (XSS) (CWE-79)
2025-07-25 cna@vuldb.com
2.0
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.0 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

1
Analysis Generated
Apr 29, 2026 - 01:48 vuln.today

DescriptionCVE.org

A vulnerability has been found in D-Link DCS-6010L 1.15.03 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /vb.htm of the component Management Application. The manipulation of the argument paratest leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.

AnalysisAI

Cross-site scripting (XSS) vulnerability in D-Link DCS-6010L firmware 1.15.03 allows authenticated remote attackers to inject malicious scripts via the paratest argument in the Management Application's /vb.htm endpoint. The vulnerability requires user interaction (UI:P) and affects an end-of-life product with publicly available exploit code, though real-world risk is significantly limited by authentication requirement (PR:L) and very low EPSS score (0.05%).

Technical ContextAI

The vulnerability exists in the Management Application component of the D-Link DCS-6010L network camera firmware, specifically in the /vb.htm file which handles video configuration or management parameters. The root cause is improper input validation and output encoding of the 'paratest' parameter (CWE-79: Improper Neutralization of Input During Web Page Generation). The parameter is processed without adequate HTML entity encoding or sanitization before being reflected in the HTTP response, allowing an attacker to break out of the intended context and execute arbitrary JavaScript in the victim's browser session. This is a reflected XSS vulnerability rather than stored, as the payload must be delivered via a crafted URL to a victim who is already authenticated to the device's management interface.

RemediationAI

No vendor-released patch is available for this product, as D-Link has discontinued support for the DCS-6010L. Organizations with active deployments should: (1) prioritize network segmentation - restrict management interface access (/vb.htm) to trusted administrative networks only using firewall rules or VPN gateways, limiting access to LAN IP ranges rather than exposing to the internet; (2) disable remote management features in the camera configuration if not actively used for monitoring; (3) implement reverse-proxy authentication (e.g., through a WAF or nginx reverse-proxy) that strips or re-validates the paratest parameter before forwarding requests to the camera; (4) plan migration to a supported D-Link camera model or alternative vendor with active security maintenance. If the camera must remain in service, prioritize credential security - use strong, unique passwords and monitor for unauthorized authentication attempts to the management interface. Segment management traffic from production video streams to contain potential XSS impact to session cookies only.

Share

CVE-2025-8155 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy