The web/web_file/fb_publish.php script in D-Link DNS-320L prior to 1.04b12 and DNS-327L prior to 1.03b04 Build0119 does not authenticate requests, which allows remote malicious users to obtain arbitrary photos and publish them to an arbitrary Facebook profile via a target album_id and access_token.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
d-link dns-327l_firmware |
||
d-link dns-320l_firmware |