CVE-2017-17020

Summary

CVE	CVE-2017-17020
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2018-05-01 16:29:00 UTC
Updated	2023-04-26 19:27:00 UTC
Description	On D-Link DCS-5009 devices with firmware 1.08.11 and earlier, DCS-5010 devices with firmware 1.14.09 and earlier, and DCS-5020L devices with firmware before 1.15.01, command injection in alphapd (binary responsible for running the camera's web server) allows remote authenticated attackers to execute code through sanitized /setSystemAdmin user input in the AdminID field being passed directly to a call to system.

Risk And Classification

Problem Types: CWE-78

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Hardware	D-link	Dcs-5009	-	All	All	All
Hardware	D-link	Dcs-5009	-	All	All	All
Operating System	D-link	Dcs-5009 Firmware	All	All	All	All
Hardware	D-link	Dcs-5010	-	All	All	All
Hardware	D-link	Dcs-5010	-	All	All	All
Operating System	D-link	Dcs-5010 Firmware	All	All	All	All
Hardware	D-link	Dcs-5020l	-	All	All	All
Hardware	D-link	Dcs-5020l	-	All	All	All
Operating System	D-link	Dcs-5020l Firmware	All	All	All	All
Hardware	Dlink	Dcs-5009	-	All	All	All
Operating System	Dlink	Dcs-5009 Firmware	All	All	All	All
Hardware	Dlink	Dcs-5010	-	All	All	All
Operating System	Dlink	Dcs-5010 Firmware	All	All	All	All
Hardware	Dlink	Dcs-5020l	-	All	All	All
Operating System	Dlink	Dcs-5020l Firmware	All	All	All	All

References

Reference	Source	Link	Tags
D-Link Technical Support	CONFIRM	supportannouncement.us.dlink.com	Vendor Advisory
DLink DCS-5020L Remote Code Execution - CVE-2017-17020	MISC	www.fidusinfosec.com	Exploit, Third Party Advisory
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.