CVE-2020-25786

Name: CVE-2020-25786
Creator: NVD / NIST
Published: 2020-09-19T20:15:11.903+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

MEDIUMCVSS 6.1/10EPSS 0.99%

Last modified Jun 17, 2026

CVE-2020-25786 is a medium-severity vulnerability rated 6.1/10 on the CVSS scale. webinc/js/info.php on D-Link DIR-816L 2.06.B09_BETA and DIR-803 1.04.B02 devices allows XSS via the HTTP Referer header. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. EPSS estimates a 0.99% chance of exploitation in the next 30 days.

Description

webinc/js/info.php on D-Link DIR-816L 2.06.B09_BETA and DIR-803 1.04.B02 devices allows XSS via the HTTP Referer header. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: this is typically not exploitable because of URL encoding (except in Internet Explorer) and because a web page cannot specify that a client should make an additional HTTP request with an arbitrary Referer header

Metrics

CVSS 3.1

6.1/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS Probability

0.99%

58.0th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-79

Affected Software

Vendor	Product	Versions	Update
Dlink	Dir-803 Firmware	1.04.b02	—
Dlink	Dir-816l Firmware	2.06	—
Dlink	Dir-816l Firmware	2.06.b09	Beta
Dlink	Dir-645 Firmware	1.06b01	—
Dlink	Dir-815 Firmware	2.07.b01	—
Dlink	Dir-860l Firmware	1.10b04	—
Dlink	Dir-865l Firmware	1.08b01	—

References

https://github.com/sek1th/iot/blob/master/DIR-816L_XSS.mdExploit, Third Party Advisory
https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10190Vendor Advisory
https://github.com/sek1th/iot/blob/master/DIR-816L_XSS.mdExploit, Third Party Advisory
https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10190Vendor Advisory

Timeline

Published: Sep 19, 2020
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2020-25786?

How severe is CVE-2020-25786?

CVE-2020-25786 has a CVSS score of 6.1/10 (MEDIUM severity). The EPSS model estimates a 0.99% probability of exploitation in the next 30 days.

How do I fix CVE-2020-25786?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2020-25786?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST