Vulnerability Note VU#377348
D-Link DCS-93xL model family allows unrestricted upload
Original Release date: 16 Mar 2015 | Last revised: 16 Mar 2015
The D-Link DCS-93xL family of devices (specifically the DCS-930L, DCS-931L, DCS-932L, and DCS-933L models) allows an attacker to upload arbitrary files from the attackers system.
CWE-434: Unrestricted Upload of File with Dangerous Type
The D-Link DCS-93xL family of devices allows an attacker to upload arbitrary files from the attackers system. The attacker may specify the file location to write on the device. This could lead to data being created, modified, or deleted. It may also lead to arbitrary code execution.
The D-Link Firmware Version 1.04 (2014-04-21) has been found to be vulnerable. Other firmware versions may also be affected.
This firmware is used on the DCS-931L, DCS-930L, DCS-932L, and DCS-933L models.
A remote authenticated attacker can upload arbitrary files to the device’s file system. This could lead to data being created, modified, or deleted. It may also lead to arbitrary code execution.
Update the firmware
According to D-Link’s security advisory, users should update the firmware for affected device to the latest version.
Vendor Information (Learn More)
VendorStatusDate NotifiedDate UpdatedD-Link Systems, Inc.Affected-13 Mar 2015If you are a vendor and your product is affected, let
CVSS Metrics (Learn More)
Thanks to Mike Baucom, Allen Harper, and J. Rach of Tangible Security for discovering and reporting this vulnerability. Tangible Security would also like to publically thank D-Link for their cooperation and desire to make their products and customers more secure.
This document was written by Garret Wassermann.
13 Mar 2015
Date First Published:
16 Mar 2015
Date Last Updated:
16 Mar 2015
FeedbackIf you have feedback, comments, or additional information about this vulnerability, please send us email.