Devolo dLAN 500 AV Wireless+ 3.1.0-1 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without proper request validation. Attackers can craft malicious web pages that trigger unauthorized configuration changes by exploiting predictable URL actions when a logged-in user visits the site.
PUBLISHED5.2CWE-352
Devolo dLAN 500 AV Wireless+ 3.1.0-1 Cross-Site Request Forgery
Problem type
Affected products
devolo AG
dLAN 550 duo+ Starter Kit
500 AV Wireless+ 3.1.0-1 - AFFECTED
References
ExploitDB-46324
https://www.exploit-db.com/exploits/46324
Official Product Homepage
https://www.devolo.com
Zero Science Lab Disclosure (ZSL-2019-5507)
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5507.php
GitHub Security Advisories
GHSA-vq8q-pgj7-r79w
Devolo dLAN 500 AV Wireless+ 3.1.0-1 contains a cross-site request forgery vulnerability that...
https://github.com/advisories/GHSA-vq8q-pgj7-r79wDevolo dLAN 500 AV Wireless+ 3.1.0-1 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without proper request validation. Attackers can craft malicious web pages that trigger unauthorized configuration changes by exploiting predictable URL actions when a logged-in user visits the site.
JSON source
https://cveawg.mitre.org/api/cve/CVE-2019-25250Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2019-25250",
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"dateUpdated": "2025-12-24T20:22:20.223Z",
"dateReserved": "2025-12-24T14:27:12.477Z",
"datePublished": "2025-12-24T19:28:03.241Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck",
"dateUpdated": "2025-12-24T19:28:03.241Z"
},
"datePublic": "2017-10-04T00:00:00.000Z",
"title": "Devolo dLAN 500 AV Wireless+ 3.1.0-1 Cross-Site Request Forgery",
"descriptions": [
{
"lang": "en",
"value": "Devolo dLAN 500 AV Wireless+ 3.1.0-1 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without proper request validation. Attackers can craft malicious web pages that trigger unauthorized configuration changes by exploiting predictable URL actions when a logged-in user visits the site."
}
],
"affected": [
{
"vendor": "devolo AG",
"product": "dLAN 550 duo+ Starter Kit",
"versions": [
{
"version": "500 AV Wireless+ 3.1.0-1",
"status": "affected"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "Cross-Site Request Forgery (CSRF)",
"cweId": "CWE-352",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://www.exploit-db.com/exploits/46324",
"name": "ExploitDB-46324",
"tags": [
"exploit"
]
},
{
"url": "https://www.devolo.com",
"name": "Official Product Homepage",
"tags": [
"product"
]
},
{
"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5507.php",
"name": "Zero Science Lab Disclosure (ZSL-2019-5507)",
"tags": [
"third-party-advisory"
]
}
],
"metrics": [
{
"format": "CVSS"
},
{
"format": "CVSS",
"cvssV3_1": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM"
}
}
],
"credits": [
{
"lang": "en",
"value": "Stefan Petrushevski aka sm @zeroscience",
"type": "finder"
}
]
},
"adp": [
{
"providerMetadata": {
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP",
"dateUpdated": "2025-12-24T20:22:20.223Z"
},
"title": "CISA ADP Vulnrichment",
"references": [
{
"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5507.php",
"tags": [
"exploit"
]
}
],
"metrics": [
{}
]
}
]
}
}