An information disclosure vulnerability has been identified in the /xml/info.xml
URI accessible through D-Link NAS devices. This vulnerability, affecting over 61,000 devices on the Internet, allows unauthorized access to sensitive device information without authentication, which could be exploited by an attacker to gain insight into device specifics that could facilitate further attacks.
The vulnerability is specifically located in the /xml/info.xml
URI which is accessible via HTTP GET request. This XML file contains sensitive information about the NAS device, including hardware version and firmware details.
CWE-200: Exposure of Sensitive Information.
An attacker can exploit this vulnerability by sending a simple HTTP GET request to the target device. The following curl command exemplifies how an attacker might access the /xml/info.xml
URI:
curl "[Target-IP]/xml/info.xml"