D-Link Products Improper Access Control Vulnerability in WebDAV Access List Function

A vulnerability exists in multiple D-Link NAS devices, including the DNS-120, DNR-202L, DNS-315L, DNS-320 series, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05, and DNS-1550-04, all prior to the version 20260205. The issue arises in the 'Webdav_Access_List' function within the '/cgi-bin/file_center.cgi' file, where improper access controls allow unauthenticated users to access WebDAV access information. This vulnerability can be exploited remotely, leading to the unauthorized disclosure of structured configuration data, including shared directory names, WebDAV access URLs, and the device's internal IPv4 address. Such information could be used to enumerate shared resources and exposed WebDAV endpoints, potentially facilitating further unauthorized access and attacks.

Impact

Exploitation of this vulnerability allows for unauthorized access to WebDAV access information, including shared directory names and corresponding WebDAV access URLs, which could be used to access shared resources or WebDAV endpoints without authorization.