Search criteria
60 vulnerabilities found for dns-326_firmware by dlink
FKIE_CVE-2024-8213
Vulnerability from fkie_nvd - Published: 2024-08-27 20:15 - Updated: 2024-08-29 15:51
Severity ?
6.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
A vulnerability classified as critical has been found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. Affected is the function cgi_FMT_R12R5_1st_DiskMGR of the file /cgi-bin/hd_config.cgi. The manipulation of the argument f_source_dev leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced.
References
| URL | Tags | ||
|---|---|---|---|
| cna@vuldb.com | https://github.com/BuaaIOTTeam/Iot_Dlink_NAS/blob/main/DNS_cgi_FMT_R12R5_1st_DiskMGR.md | Exploit, Third Party Advisory | |
| cna@vuldb.com | https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383 | Vendor Advisory | |
| cna@vuldb.com | https://vuldb.com/?ctiid.275922 | Permissions Required | |
| cna@vuldb.com | https://vuldb.com/?id.275922 | Third Party Advisory | |
| cna@vuldb.com | https://vuldb.com/?submit.397277 | Third Party Advisory | |
| cna@vuldb.com | https://www.dlink.com/ | Product |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| dlink | dns-315l_firmware | - | |
| dlink | dns-315l | - | |
| dlink | dns-320lw_firmware | - | |
| dlink | dns-320lw | - | |
| dlink | dns-1550-04_firmware | - | |
| dlink | dns-1550-04 | - | |
| dlink | dns-1200-05_firmware | - | |
| dlink | dns-1200-05 | - | |
| dlink | dns-1100-4_firmware | - | |
| dlink | dns-1100-4 | - | |
| dlink | dns-726-4_firmware | - | |
| dlink | dns-726-4 | - | |
| dlink | dns-345_firmware | - | |
| dlink | dns-345 | - | |
| dlink | dns-343_firmware | - | |
| dlink | dns-343 | - | |
| dlink | dns-340l_firmware | - | |
| dlink | dns-340l | - | |
| dlink | dnr-326_firmware | - | |
| dlink | dnr-326 | - | |
| dlink | dns-327l_firmware | - | |
| dlink | dns-327l | - | |
| dlink | dns-326_firmware | - | |
| dlink | dns-326 | - | |
| dlink | dns-325_firmware | - | |
| dlink | dns-325 | - | |
| dlink | dns-323_firmware | - | |
| dlink | dns-323 | - | |
| dlink | dnr-322l_firmware | - | |
| dlink | dnr-322l | - | |
| dlink | dns-321_firmware | - | |
| dlink | dns-321 | - | |
| dlink | dns-320l_firmware | - | |
| dlink | dns-320l | - | |
| dlink | dns-320_firmware | - | |
| dlink | dns-320 | - | |
| dlink | dnr-202l_firmware | - | |
| dlink | dnr-202l | - | |
| dlink | dns-120_firmware | - | |
| dlink | dns-120 | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-315l_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "A8CFCD7B-EFFB-4FAB-9537-46AC7B567126",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-315l:-:*:*:*:*:*:*:*",
"matchCriteriaId": "03C5CED7-55A7-4026-95CD-A2ADB5853823",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-320lw_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "8FE78C5B-2A98-47EE-BF67-CF58AFE50A37",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-320lw:-:*:*:*:*:*:*:*",
"matchCriteriaId": "45467ABC-BAA9-4EB0-9F97-92E31854CA8B",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-1550-04_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "B2C1EF70-AD9B-48D7-8DF6-A6416C517F12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-1550-04:-:*:*:*:*:*:*:*",
"matchCriteriaId": "E691E775-382C-4BA9-AA44-FBC3148D3E54",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-1200-05_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "42DA6DEB-3578-44A5-916F-1628141F0DDE",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-1200-05:-:*:*:*:*:*:*:*",
"matchCriteriaId": "D042C75D-6731-46B2-B11E-A009B9029B3F",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-1100-4_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "7CAFE1E3-B705-4CF1-AEB9-A474432B6D34",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-1100-4:-:*:*:*:*:*:*:*",
"matchCriteriaId": "D5D08ED7-3E7F-4D30-890E-6535F6C34682",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-726-4_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "2A74D270-9076-474D-A06F-C915FCEA2164",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-726-4:-:*:*:*:*:*:*:*",
"matchCriteriaId": "75E5010F-21BA-4B6B-B00C-2688268FD67B",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-345_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "12C5E2D7-018E-4ED1-92C7-B5B1D8CC6990",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-345:-:*:*:*:*:*:*:*",
"matchCriteriaId": "C7E56821-7EA0-4CA1-BA17-7FD4ED9F794C",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-343_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "DD656642-EDD4-4EB2-81AB-04207BC14196",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-343:-:*:*:*:*:*:*:*",
"matchCriteriaId": "F968791D-D3BD-442C-818E-4E878B12776D",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-340l_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "39FF9666-8493-4A36-A199-1190AD8FAF3D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-340l:-:*:*:*:*:*:*:*",
"matchCriteriaId": "0646B20C-5642-4CEA-A96C-7E82AD94A281",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dnr-326_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "816E5F34-CE76-49E5-91F3-8CC84C561558",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dnr-326:-:*:*:*:*:*:*:*",
"matchCriteriaId": "33CB308B-CF82-4E40-B2DC-23EBD48CD130",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-327l_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "172D5EFF-E0DF-4A99-8499-71450A46A86C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-327l:-:*:*:*:*:*:*:*",
"matchCriteriaId": "DB305B29-7F89-4A52-9ECF-3DB0BDD2350D",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-326_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "B5E6F048-D865-4378-87C7-B0E528134276",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-326:-:*:*:*:*:*:*:*",
"matchCriteriaId": "D26F4F77-A6E3-4D7D-A781-BEB5FF7BC44F",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-325_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "16954393-3449-438A-978C-265EE3A35FF8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-325:-:*:*:*:*:*:*:*",
"matchCriteriaId": "8042169D-D9FA-4BD6-90D1-E0DE269E42B9",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-323_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "641CB5F1-3DE0-480B-95A4-FC42A8FF3C97",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-323:-:*:*:*:*:*:*:*",
"matchCriteriaId": "94ED678A-AB4C-4637-B0D8-C232A0BB5D5F",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dnr-322l_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "AD3AD5EE-8E1E-4336-A1AB-AB028CC71286",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dnr-322l:-:*:*:*:*:*:*:*",
"matchCriteriaId": "5DAF62A4-2429-4B89-8FAD-8B23EF15E050",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-321_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "DC28053F-88A9-4CA1-A2A2-CC90FEEA68FC",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-321:-:*:*:*:*:*:*:*",
"matchCriteriaId": "2A278BC9-6197-43D9-93C2-3DF760856FB7",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-320l_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "4599D769-0210-4D49-9896-9AD1376A037E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-320l:-:*:*:*:*:*:*:*",
"matchCriteriaId": "6C677E53-6885-4EC4-A7CC-E24E8F445F59",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-320_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "4452F9A4-3A0A-4773-9818-04C94CF9F8E7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-320:-:*:*:*:*:*:*:*",
"matchCriteriaId": "A0F5355E-F68D-49FE-9793-1FD9BD9AF3E1",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dnr-202l_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "96195649-172A-4C21-AA15-7B05F86C5CEC",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dnr-202l:-:*:*:*:*:*:*:*",
"matchCriteriaId": "07A92F2C-16FD-4A53-8066-83FEC2818DF5",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-120_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "C44BE2C6-BF3E-43C3-B32F-2DCE756F94BC",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-120:-:*:*:*:*:*:*:*",
"matchCriteriaId": "6E161E54-2FE9-4359-9B2D-8700D00DE8E7",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [
{
"sourceIdentifier": "cna@vuldb.com",
"tags": [
"unsupported-when-assigned"
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability classified as critical has been found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. Affected is the function cgi_FMT_R12R5_1st_DiskMGR of the file /cgi-bin/hd_config.cgi. The manipulation of the argument f_source_dev leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced."
},
{
"lang": "es",
"value": "Una vulnerabilidad clasificada como cr\u00edtica ha sido encontrada en D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS- 325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 y DNS-1550-04 en adelante a 20240814. La funci\u00f3n cgi_FMT_R12R5_1st_DiskMGR del fichero /cgi-bin/hd_config.cgi es afectada por la vulnerabilidad. La manipulaci\u00f3n del argumento f_source_dev conduce a la inyecci\u00f3n de comandos. Es posible lanzar el ataque de forma remota. El exploit ha sido divulgado al p\u00fablico y puede utilizarse. NOTA: Esta vulnerabilidad solo afecta a productos que ya no son compatibles con el fabricante. NOTA: Se contact\u00f3 primeramente con el proveedor y se confirm\u00f3 que el producto ha llegado al final de su vida \u00fatil. Deber\u00eda retirarse y reemplazarse."
}
],
"id": "CVE-2024-8213",
"lastModified": "2024-08-29T15:51:33.390",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "cna@vuldb.com",
"type": "Secondary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.4,
"source": "cna@vuldb.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "cna@vuldb.com",
"type": "Secondary"
}
]
},
"published": "2024-08-27T20:15:09.423",
"references": [
{
"source": "cna@vuldb.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/BuaaIOTTeam/Iot_Dlink_NAS/blob/main/DNS_cgi_FMT_R12R5_1st_DiskMGR.md"
},
{
"source": "cna@vuldb.com",
"tags": [
"Vendor Advisory"
],
"url": "https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383"
},
{
"source": "cna@vuldb.com",
"tags": [
"Permissions Required"
],
"url": "https://vuldb.com/?ctiid.275922"
},
{
"source": "cna@vuldb.com",
"tags": [
"Third Party Advisory"
],
"url": "https://vuldb.com/?id.275922"
},
{
"source": "cna@vuldb.com",
"tags": [
"Third Party Advisory"
],
"url": "https://vuldb.com/?submit.397277"
},
{
"source": "cna@vuldb.com",
"tags": [
"Product"
],
"url": "https://www.dlink.com/"
}
],
"sourceIdentifier": "cna@vuldb.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-77"
}
],
"source": "cna@vuldb.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-78"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2024-8212
Vulnerability from fkie_nvd - Published: 2024-08-27 20:15 - Updated: 2024-08-29 15:53
Severity ?
6.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
A vulnerability was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. It has been rated as critical. This issue affects the function cgi_FMT_R12R5_2nd_DiskMGR of the file /cgi-bin/hd_config.cgi. The manipulation of the argument f_source_dev leads to command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced.
References
| URL | Tags | ||
|---|---|---|---|
| cna@vuldb.com | https://github.com/BuaaIOTTeam/Iot_Dlink_NAS/blob/main/DNS_cgi_FMT_R12R5_2nd_DiskMGR.md | Exploit, Third Party Advisory | |
| cna@vuldb.com | https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383 | Vendor Advisory | |
| cna@vuldb.com | https://vuldb.com/?ctiid.275921 | Permissions Required | |
| cna@vuldb.com | https://vuldb.com/?id.275921 | Third Party Advisory | |
| cna@vuldb.com | https://vuldb.com/?submit.397276 | Third Party Advisory | |
| cna@vuldb.com | https://www.dlink.com/ | Product |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| dlink | dns-315l_firmware | - | |
| dlink | dns-315l | - | |
| dlink | dns-320lw_firmware | - | |
| dlink | dns-320lw | - | |
| dlink | dns-1550-04_firmware | - | |
| dlink | dns-1550-04 | - | |
| dlink | dns-1200-05_firmware | - | |
| dlink | dns-1200-05 | - | |
| dlink | dns-1100-4_firmware | - | |
| dlink | dns-1100-4 | - | |
| dlink | dns-726-4_firmware | - | |
| dlink | dns-726-4 | - | |
| dlink | dns-345_firmware | - | |
| dlink | dns-345 | - | |
| dlink | dns-343_firmware | - | |
| dlink | dns-343 | - | |
| dlink | dns-340l_firmware | - | |
| dlink | dns-340l | - | |
| dlink | dnr-326_firmware | - | |
| dlink | dnr-326 | - | |
| dlink | dns-327l_firmware | - | |
| dlink | dns-327l | - | |
| dlink | dns-326_firmware | - | |
| dlink | dns-326 | - | |
| dlink | dns-325_firmware | - | |
| dlink | dns-325 | - | |
| dlink | dns-323_firmware | - | |
| dlink | dns-323 | - | |
| dlink | dnr-322l_firmware | - | |
| dlink | dnr-322l | - | |
| dlink | dns-321_firmware | - | |
| dlink | dns-321 | - | |
| dlink | dns-320l_firmware | - | |
| dlink | dns-320l | - | |
| dlink | dns-320_firmware | - | |
| dlink | dns-320 | - | |
| dlink | dnr-202l_firmware | - | |
| dlink | dnr-202l | - | |
| dlink | dns-120_firmware | - | |
| dlink | dns-120 | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-315l_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "A8CFCD7B-EFFB-4FAB-9537-46AC7B567126",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-315l:-:*:*:*:*:*:*:*",
"matchCriteriaId": "03C5CED7-55A7-4026-95CD-A2ADB5853823",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-320lw_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "8FE78C5B-2A98-47EE-BF67-CF58AFE50A37",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-320lw:-:*:*:*:*:*:*:*",
"matchCriteriaId": "45467ABC-BAA9-4EB0-9F97-92E31854CA8B",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-1550-04_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "B2C1EF70-AD9B-48D7-8DF6-A6416C517F12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-1550-04:-:*:*:*:*:*:*:*",
"matchCriteriaId": "E691E775-382C-4BA9-AA44-FBC3148D3E54",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-1200-05_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "42DA6DEB-3578-44A5-916F-1628141F0DDE",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-1200-05:-:*:*:*:*:*:*:*",
"matchCriteriaId": "D042C75D-6731-46B2-B11E-A009B9029B3F",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-1100-4_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "7CAFE1E3-B705-4CF1-AEB9-A474432B6D34",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-1100-4:-:*:*:*:*:*:*:*",
"matchCriteriaId": "D5D08ED7-3E7F-4D30-890E-6535F6C34682",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-726-4_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "2A74D270-9076-474D-A06F-C915FCEA2164",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-726-4:-:*:*:*:*:*:*:*",
"matchCriteriaId": "75E5010F-21BA-4B6B-B00C-2688268FD67B",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-345_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "12C5E2D7-018E-4ED1-92C7-B5B1D8CC6990",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-345:-:*:*:*:*:*:*:*",
"matchCriteriaId": "C7E56821-7EA0-4CA1-BA17-7FD4ED9F794C",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-343_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "DD656642-EDD4-4EB2-81AB-04207BC14196",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-343:-:*:*:*:*:*:*:*",
"matchCriteriaId": "F968791D-D3BD-442C-818E-4E878B12776D",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-340l_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "39FF9666-8493-4A36-A199-1190AD8FAF3D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-340l:-:*:*:*:*:*:*:*",
"matchCriteriaId": "0646B20C-5642-4CEA-A96C-7E82AD94A281",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dnr-326_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "816E5F34-CE76-49E5-91F3-8CC84C561558",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dnr-326:-:*:*:*:*:*:*:*",
"matchCriteriaId": "33CB308B-CF82-4E40-B2DC-23EBD48CD130",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-327l_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "172D5EFF-E0DF-4A99-8499-71450A46A86C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-327l:-:*:*:*:*:*:*:*",
"matchCriteriaId": "DB305B29-7F89-4A52-9ECF-3DB0BDD2350D",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-326_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "B5E6F048-D865-4378-87C7-B0E528134276",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-326:-:*:*:*:*:*:*:*",
"matchCriteriaId": "D26F4F77-A6E3-4D7D-A781-BEB5FF7BC44F",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-325_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "16954393-3449-438A-978C-265EE3A35FF8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-325:-:*:*:*:*:*:*:*",
"matchCriteriaId": "8042169D-D9FA-4BD6-90D1-E0DE269E42B9",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-323_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "641CB5F1-3DE0-480B-95A4-FC42A8FF3C97",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-323:-:*:*:*:*:*:*:*",
"matchCriteriaId": "94ED678A-AB4C-4637-B0D8-C232A0BB5D5F",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dnr-322l_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "AD3AD5EE-8E1E-4336-A1AB-AB028CC71286",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dnr-322l:-:*:*:*:*:*:*:*",
"matchCriteriaId": "5DAF62A4-2429-4B89-8FAD-8B23EF15E050",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-321_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "DC28053F-88A9-4CA1-A2A2-CC90FEEA68FC",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-321:-:*:*:*:*:*:*:*",
"matchCriteriaId": "2A278BC9-6197-43D9-93C2-3DF760856FB7",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-320l_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "4599D769-0210-4D49-9896-9AD1376A037E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-320l:-:*:*:*:*:*:*:*",
"matchCriteriaId": "6C677E53-6885-4EC4-A7CC-E24E8F445F59",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-320_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "4452F9A4-3A0A-4773-9818-04C94CF9F8E7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-320:-:*:*:*:*:*:*:*",
"matchCriteriaId": "A0F5355E-F68D-49FE-9793-1FD9BD9AF3E1",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dnr-202l_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "96195649-172A-4C21-AA15-7B05F86C5CEC",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dnr-202l:-:*:*:*:*:*:*:*",
"matchCriteriaId": "07A92F2C-16FD-4A53-8066-83FEC2818DF5",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-120_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "C44BE2C6-BF3E-43C3-B32F-2DCE756F94BC",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-120:-:*:*:*:*:*:*:*",
"matchCriteriaId": "6E161E54-2FE9-4359-9B2D-8700D00DE8E7",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [
{
"sourceIdentifier": "cna@vuldb.com",
"tags": [
"unsupported-when-assigned"
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. It has been rated as critical. This issue affects the function cgi_FMT_R12R5_2nd_DiskMGR of the file /cgi-bin/hd_config.cgi. The manipulation of the argument f_source_dev leads to command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced."
},
{
"lang": "es",
"value": "Se encontr\u00f3 una vulnerabilidad en D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS- 326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 y DNS-1550-04 hasta 20240814. ha sido calificado como cr\u00edtico. Este problema afecta la funci\u00f3n cgi_FMT_R12R5_2nd_DiskMGR del archivo /cgi-bin/hd_config.cgi. La manipulaci\u00f3n del argumento f_source_dev conduce a la inyecci\u00f3n de comandos. El ataque puede iniciarse de forma remota. El exploit ha sido divulgado al p\u00fablico y puede utilizarse. NOTA: Esta vulnerabilidad solo afecta a productos que ya no son compatibles con el fabricante. NOTA: Se contact\u00f3 primeramente con el proveedor y se confirm\u00f3 que el producto ha llegado al final de su vida \u00fatil. Deber\u00eda retirarse y reemplazarse."
}
],
"id": "CVE-2024-8212",
"lastModified": "2024-08-29T15:53:02.077",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "cna@vuldb.com",
"type": "Secondary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.4,
"source": "cna@vuldb.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "cna@vuldb.com",
"type": "Secondary"
}
]
},
"published": "2024-08-27T20:15:09.110",
"references": [
{
"source": "cna@vuldb.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/BuaaIOTTeam/Iot_Dlink_NAS/blob/main/DNS_cgi_FMT_R12R5_2nd_DiskMGR.md"
},
{
"source": "cna@vuldb.com",
"tags": [
"Vendor Advisory"
],
"url": "https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383"
},
{
"source": "cna@vuldb.com",
"tags": [
"Permissions Required"
],
"url": "https://vuldb.com/?ctiid.275921"
},
{
"source": "cna@vuldb.com",
"tags": [
"Third Party Advisory"
],
"url": "https://vuldb.com/?id.275921"
},
{
"source": "cna@vuldb.com",
"tags": [
"Third Party Advisory"
],
"url": "https://vuldb.com/?submit.397276"
},
{
"source": "cna@vuldb.com",
"tags": [
"Product"
],
"url": "https://www.dlink.com/"
}
],
"sourceIdentifier": "cna@vuldb.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-77"
}
],
"source": "cna@vuldb.com",
"type": "Primary"
}
]
}
FKIE_CVE-2024-8214
Vulnerability from fkie_nvd - Published: 2024-08-27 20:15 - Updated: 2024-08-29 15:44
Severity ?
6.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
A vulnerability classified as critical was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. Affected by this vulnerability is the function cgi_FMT_Std2R5_2nd_DiskMGR of the file /cgi-bin/hd_config.cgi. The manipulation of the argument f_source_dev leads to command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced.
References
| URL | Tags | ||
|---|---|---|---|
| cna@vuldb.com | https://github.com/BuaaIOTTeam/Iot_Dlink_NAS/blob/main/DNS_cgi_FMT_Std2R5_2nd_DiskMGR.md | Exploit, Third Party Advisory | |
| cna@vuldb.com | https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383 | Vendor Advisory | |
| cna@vuldb.com | https://vuldb.com/?ctiid.275923 | Permissions Required | |
| cna@vuldb.com | https://vuldb.com/?id.275923 | Third Party Advisory | |
| cna@vuldb.com | https://vuldb.com/?submit.397278 | Issue Tracking | |
| cna@vuldb.com | https://www.dlink.com/ | Product |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| dlink | dns-315l_firmware | - | |
| dlink | dns-315l | - | |
| dlink | dns-320lw_firmware | - | |
| dlink | dns-320lw | - | |
| dlink | dns-1550-04_firmware | - | |
| dlink | dns-1550-04 | - | |
| dlink | dns-1200-05_firmware | - | |
| dlink | dns-1200-05 | - | |
| dlink | dns-1100-4_firmware | - | |
| dlink | dns-1100-4 | - | |
| dlink | dns-726-4_firmware | - | |
| dlink | dns-726-4 | - | |
| dlink | dns-345_firmware | - | |
| dlink | dns-345 | - | |
| dlink | dns-343_firmware | - | |
| dlink | dns-343 | - | |
| dlink | dns-340l_firmware | - | |
| dlink | dns-340l | - | |
| dlink | dnr-326_firmware | - | |
| dlink | dnr-326 | - | |
| dlink | dns-327l_firmware | - | |
| dlink | dns-327l | - | |
| dlink | dns-326_firmware | - | |
| dlink | dns-326 | - | |
| dlink | dns-325_firmware | - | |
| dlink | dns-325 | - | |
| dlink | dns-323_firmware | - | |
| dlink | dns-323 | - | |
| dlink | dnr-322l_firmware | - | |
| dlink | dnr-322l | - | |
| dlink | dns-321_firmware | - | |
| dlink | dns-321 | - | |
| dlink | dns-320l_firmware | - | |
| dlink | dns-320l | - | |
| dlink | dns-320_firmware | - | |
| dlink | dns-320 | - | |
| dlink | dnr-202l_firmware | - | |
| dlink | dnr-202l | - | |
| dlink | dns-120_firmware | - | |
| dlink | dns-120 | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-315l_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "A8CFCD7B-EFFB-4FAB-9537-46AC7B567126",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-315l:-:*:*:*:*:*:*:*",
"matchCriteriaId": "03C5CED7-55A7-4026-95CD-A2ADB5853823",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-320lw_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "8FE78C5B-2A98-47EE-BF67-CF58AFE50A37",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-320lw:-:*:*:*:*:*:*:*",
"matchCriteriaId": "45467ABC-BAA9-4EB0-9F97-92E31854CA8B",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-1550-04_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "B2C1EF70-AD9B-48D7-8DF6-A6416C517F12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-1550-04:-:*:*:*:*:*:*:*",
"matchCriteriaId": "E691E775-382C-4BA9-AA44-FBC3148D3E54",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-1200-05_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "42DA6DEB-3578-44A5-916F-1628141F0DDE",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-1200-05:-:*:*:*:*:*:*:*",
"matchCriteriaId": "D042C75D-6731-46B2-B11E-A009B9029B3F",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-1100-4_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "7CAFE1E3-B705-4CF1-AEB9-A474432B6D34",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-1100-4:-:*:*:*:*:*:*:*",
"matchCriteriaId": "D5D08ED7-3E7F-4D30-890E-6535F6C34682",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-726-4_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "2A74D270-9076-474D-A06F-C915FCEA2164",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-726-4:-:*:*:*:*:*:*:*",
"matchCriteriaId": "75E5010F-21BA-4B6B-B00C-2688268FD67B",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-345_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "12C5E2D7-018E-4ED1-92C7-B5B1D8CC6990",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-345:-:*:*:*:*:*:*:*",
"matchCriteriaId": "C7E56821-7EA0-4CA1-BA17-7FD4ED9F794C",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-343_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "DD656642-EDD4-4EB2-81AB-04207BC14196",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-343:-:*:*:*:*:*:*:*",
"matchCriteriaId": "F968791D-D3BD-442C-818E-4E878B12776D",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-340l_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "39FF9666-8493-4A36-A199-1190AD8FAF3D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-340l:-:*:*:*:*:*:*:*",
"matchCriteriaId": "0646B20C-5642-4CEA-A96C-7E82AD94A281",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dnr-326_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "816E5F34-CE76-49E5-91F3-8CC84C561558",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dnr-326:-:*:*:*:*:*:*:*",
"matchCriteriaId": "33CB308B-CF82-4E40-B2DC-23EBD48CD130",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-327l_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "172D5EFF-E0DF-4A99-8499-71450A46A86C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-327l:-:*:*:*:*:*:*:*",
"matchCriteriaId": "DB305B29-7F89-4A52-9ECF-3DB0BDD2350D",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-326_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "B5E6F048-D865-4378-87C7-B0E528134276",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-326:-:*:*:*:*:*:*:*",
"matchCriteriaId": "D26F4F77-A6E3-4D7D-A781-BEB5FF7BC44F",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-325_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "16954393-3449-438A-978C-265EE3A35FF8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-325:-:*:*:*:*:*:*:*",
"matchCriteriaId": "8042169D-D9FA-4BD6-90D1-E0DE269E42B9",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-323_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "641CB5F1-3DE0-480B-95A4-FC42A8FF3C97",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-323:-:*:*:*:*:*:*:*",
"matchCriteriaId": "94ED678A-AB4C-4637-B0D8-C232A0BB5D5F",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dnr-322l_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "AD3AD5EE-8E1E-4336-A1AB-AB028CC71286",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dnr-322l:-:*:*:*:*:*:*:*",
"matchCriteriaId": "5DAF62A4-2429-4B89-8FAD-8B23EF15E050",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-321_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "DC28053F-88A9-4CA1-A2A2-CC90FEEA68FC",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-321:-:*:*:*:*:*:*:*",
"matchCriteriaId": "2A278BC9-6197-43D9-93C2-3DF760856FB7",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-320l_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "4599D769-0210-4D49-9896-9AD1376A037E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-320l:-:*:*:*:*:*:*:*",
"matchCriteriaId": "6C677E53-6885-4EC4-A7CC-E24E8F445F59",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-320_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "4452F9A4-3A0A-4773-9818-04C94CF9F8E7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-320:-:*:*:*:*:*:*:*",
"matchCriteriaId": "A0F5355E-F68D-49FE-9793-1FD9BD9AF3E1",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dnr-202l_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "96195649-172A-4C21-AA15-7B05F86C5CEC",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dnr-202l:-:*:*:*:*:*:*:*",
"matchCriteriaId": "07A92F2C-16FD-4A53-8066-83FEC2818DF5",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-120_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "C44BE2C6-BF3E-43C3-B32F-2DCE756F94BC",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-120:-:*:*:*:*:*:*:*",
"matchCriteriaId": "6E161E54-2FE9-4359-9B2D-8700D00DE8E7",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [
{
"sourceIdentifier": "cna@vuldb.com",
"tags": [
"unsupported-when-assigned"
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability classified as critical was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. Affected by this vulnerability is the function cgi_FMT_Std2R5_2nd_DiskMGR of the file /cgi-bin/hd_config.cgi. The manipulation of the argument f_source_dev leads to command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced."
},
{
"lang": "es",
"value": "Una vulnerabilidad clasificada como cr\u00edtica fue encontrada en D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325 , DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 y DNS-1550-04 hasta 20240814. La funci\u00f3n cgi_FMT_Std2R5_2nd_DiskMGR del archivo /cgi-bin/hd_config.cgi es afectada por esta vulnerabilidad. La manipulaci\u00f3n del argumento f_source_dev conduce a la inyecci\u00f3n de comandos. El ataque se puede lanzar de forma remota. El exploit ha sido divulgado al p\u00fablico y puede utilizarse. NOTA: Esta vulnerabilidad solo afecta a productos que ya no son compatibles con el fabricante. NOTA: Se contact\u00f3 primeramente con el proveedor y se confirm\u00f3 que el producto ha llegado al final de su vida \u00fatil. Deber\u00eda retirarse y reemplazarse."
}
],
"id": "CVE-2024-8214",
"lastModified": "2024-08-29T15:44:45.280",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "cna@vuldb.com",
"type": "Secondary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.4,
"source": "cna@vuldb.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "cna@vuldb.com",
"type": "Secondary"
}
]
},
"published": "2024-08-27T20:15:09.703",
"references": [
{
"source": "cna@vuldb.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/BuaaIOTTeam/Iot_Dlink_NAS/blob/main/DNS_cgi_FMT_Std2R5_2nd_DiskMGR.md"
},
{
"source": "cna@vuldb.com",
"tags": [
"Vendor Advisory"
],
"url": "https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383"
},
{
"source": "cna@vuldb.com",
"tags": [
"Permissions Required"
],
"url": "https://vuldb.com/?ctiid.275923"
},
{
"source": "cna@vuldb.com",
"tags": [
"Third Party Advisory"
],
"url": "https://vuldb.com/?id.275923"
},
{
"source": "cna@vuldb.com",
"tags": [
"Issue Tracking"
],
"url": "https://vuldb.com/?submit.397278"
},
{
"source": "cna@vuldb.com",
"tags": [
"Product"
],
"url": "https://www.dlink.com/"
}
],
"sourceIdentifier": "cna@vuldb.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-77"
}
],
"source": "cna@vuldb.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-78"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2024-8210
Vulnerability from fkie_nvd - Published: 2024-08-27 19:15 - Updated: 2024-08-29 16:04
Severity ?
6.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
A vulnerability was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. It has been classified as critical. This affects the function sprintf of the file /cgi-bin/hd_config.cgi. The manipulation of the argument f_mount leads to command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced.
References
| URL | Tags | ||
|---|---|---|---|
| cna@vuldb.com | https://github.com/BuaaIOTTeam/Iot_Dlink_NAS/blob/main/DNS_cgi_FMT_R12R5_3rd_DiskMGR.md | Exploit, Third Party Advisory | |
| cna@vuldb.com | https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383 | Vendor Advisory | |
| cna@vuldb.com | https://vuldb.com/?ctiid.275919 | Permissions Required | |
| cna@vuldb.com | https://vuldb.com/?id.275919 | Third Party Advisory | |
| cna@vuldb.com | https://vuldb.com/?submit.397274 | Third Party Advisory | |
| cna@vuldb.com | https://www.dlink.com/ | Product |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| dlink | dns-315l_firmware | - | |
| dlink | dns-315l | - | |
| dlink | dns-320lw_firmware | - | |
| dlink | dns-320lw | - | |
| dlink | dns-1550-04_firmware | - | |
| dlink | dns-1550-04 | - | |
| dlink | dns-1200-05_firmware | - | |
| dlink | dns-1200-05 | - | |
| dlink | dns-1100-4_firmware | - | |
| dlink | dns-1100-4 | - | |
| dlink | dns-726-4_firmware | - | |
| dlink | dns-726-4 | - | |
| dlink | dns-345_firmware | - | |
| dlink | dns-345 | - | |
| dlink | dns-343_firmware | - | |
| dlink | dns-343 | - | |
| dlink | dns-340l_firmware | - | |
| dlink | dns-340l | - | |
| dlink | dnr-326_firmware | - | |
| dlink | dnr-326 | - | |
| dlink | dns-327l_firmware | - | |
| dlink | dns-327l | - | |
| dlink | dns-326_firmware | - | |
| dlink | dns-326 | - | |
| dlink | dns-325_firmware | - | |
| dlink | dns-325 | - | |
| dlink | dns-323_firmware | - | |
| dlink | dns-323 | - | |
| dlink | dnr-322l_firmware | - | |
| dlink | dnr-322l | - | |
| dlink | dns-321_firmware | - | |
| dlink | dns-321 | - | |
| dlink | dns-320l_firmware | - | |
| dlink | dns-320l | - | |
| dlink | dns-320_firmware | - | |
| dlink | dns-320 | - | |
| dlink | dnr-202l_firmware | - | |
| dlink | dnr-202l | - | |
| dlink | dns-120_firmware | - | |
| dlink | dns-120 | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-315l_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "A8CFCD7B-EFFB-4FAB-9537-46AC7B567126",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-315l:-:*:*:*:*:*:*:*",
"matchCriteriaId": "03C5CED7-55A7-4026-95CD-A2ADB5853823",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-320lw_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "8FE78C5B-2A98-47EE-BF67-CF58AFE50A37",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-320lw:-:*:*:*:*:*:*:*",
"matchCriteriaId": "45467ABC-BAA9-4EB0-9F97-92E31854CA8B",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-1550-04_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "B2C1EF70-AD9B-48D7-8DF6-A6416C517F12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-1550-04:-:*:*:*:*:*:*:*",
"matchCriteriaId": "E691E775-382C-4BA9-AA44-FBC3148D3E54",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-1200-05_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "42DA6DEB-3578-44A5-916F-1628141F0DDE",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-1200-05:-:*:*:*:*:*:*:*",
"matchCriteriaId": "D042C75D-6731-46B2-B11E-A009B9029B3F",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-1100-4_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "7CAFE1E3-B705-4CF1-AEB9-A474432B6D34",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-1100-4:-:*:*:*:*:*:*:*",
"matchCriteriaId": "D5D08ED7-3E7F-4D30-890E-6535F6C34682",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-726-4_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "2A74D270-9076-474D-A06F-C915FCEA2164",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-726-4:-:*:*:*:*:*:*:*",
"matchCriteriaId": "75E5010F-21BA-4B6B-B00C-2688268FD67B",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-345_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "12C5E2D7-018E-4ED1-92C7-B5B1D8CC6990",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-345:-:*:*:*:*:*:*:*",
"matchCriteriaId": "C7E56821-7EA0-4CA1-BA17-7FD4ED9F794C",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-343_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "DD656642-EDD4-4EB2-81AB-04207BC14196",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-343:-:*:*:*:*:*:*:*",
"matchCriteriaId": "F968791D-D3BD-442C-818E-4E878B12776D",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-340l_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "39FF9666-8493-4A36-A199-1190AD8FAF3D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-340l:-:*:*:*:*:*:*:*",
"matchCriteriaId": "0646B20C-5642-4CEA-A96C-7E82AD94A281",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dnr-326_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "816E5F34-CE76-49E5-91F3-8CC84C561558",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dnr-326:-:*:*:*:*:*:*:*",
"matchCriteriaId": "33CB308B-CF82-4E40-B2DC-23EBD48CD130",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-327l_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "172D5EFF-E0DF-4A99-8499-71450A46A86C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-327l:-:*:*:*:*:*:*:*",
"matchCriteriaId": "DB305B29-7F89-4A52-9ECF-3DB0BDD2350D",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-326_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "B5E6F048-D865-4378-87C7-B0E528134276",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-326:-:*:*:*:*:*:*:*",
"matchCriteriaId": "D26F4F77-A6E3-4D7D-A781-BEB5FF7BC44F",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-325_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "16954393-3449-438A-978C-265EE3A35FF8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-325:-:*:*:*:*:*:*:*",
"matchCriteriaId": "8042169D-D9FA-4BD6-90D1-E0DE269E42B9",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-323_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "641CB5F1-3DE0-480B-95A4-FC42A8FF3C97",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-323:-:*:*:*:*:*:*:*",
"matchCriteriaId": "94ED678A-AB4C-4637-B0D8-C232A0BB5D5F",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dnr-322l_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "AD3AD5EE-8E1E-4336-A1AB-AB028CC71286",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dnr-322l:-:*:*:*:*:*:*:*",
"matchCriteriaId": "5DAF62A4-2429-4B89-8FAD-8B23EF15E050",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-321_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "DC28053F-88A9-4CA1-A2A2-CC90FEEA68FC",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-321:-:*:*:*:*:*:*:*",
"matchCriteriaId": "2A278BC9-6197-43D9-93C2-3DF760856FB7",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-320l_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "4599D769-0210-4D49-9896-9AD1376A037E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-320l:-:*:*:*:*:*:*:*",
"matchCriteriaId": "6C677E53-6885-4EC4-A7CC-E24E8F445F59",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-320_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "4452F9A4-3A0A-4773-9818-04C94CF9F8E7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-320:-:*:*:*:*:*:*:*",
"matchCriteriaId": "A0F5355E-F68D-49FE-9793-1FD9BD9AF3E1",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dnr-202l_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "96195649-172A-4C21-AA15-7B05F86C5CEC",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dnr-202l:-:*:*:*:*:*:*:*",
"matchCriteriaId": "07A92F2C-16FD-4A53-8066-83FEC2818DF5",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-120_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "C44BE2C6-BF3E-43C3-B32F-2DCE756F94BC",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-120:-:*:*:*:*:*:*:*",
"matchCriteriaId": "6E161E54-2FE9-4359-9B2D-8700D00DE8E7",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [
{
"sourceIdentifier": "cna@vuldb.com",
"tags": [
"unsupported-when-assigned"
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. It has been classified as critical. This affects the function sprintf of the file /cgi-bin/hd_config.cgi. The manipulation of the argument f_mount leads to command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced."
},
{
"lang": "es",
"value": "Se encontr\u00f3 una vulnerabilidad en D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS- 326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 y DNS-1550-04 hasta 20240814. ha sido clasificado como cr\u00edtico. Esto afecta la funci\u00f3n sprintf del archivo /cgi-bin/hd_config.cgi. La manipulaci\u00f3n del argumento f_mount conduce a la inyecci\u00f3n de comandos. Es posible iniciar el ataque de forma remota. El exploit ha sido divulgado al p\u00fablico y puede utilizarse. NOTA: Esta vulnerabilidad solo afecta a productos que ya no son compatibles con el fabricante. NOTA: Se contact\u00f3 primeramente con el proveedor y se confirm\u00f3 que el producto ha llegado al final de su vida \u00fatil. Deber\u00eda retirarse y reemplazarse."
}
],
"id": "CVE-2024-8210",
"lastModified": "2024-08-29T16:04:45.310",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "cna@vuldb.com",
"type": "Secondary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.4,
"source": "cna@vuldb.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "cna@vuldb.com",
"type": "Secondary"
}
]
},
"published": "2024-08-27T19:15:18.250",
"references": [
{
"source": "cna@vuldb.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/BuaaIOTTeam/Iot_Dlink_NAS/blob/main/DNS_cgi_FMT_R12R5_3rd_DiskMGR.md"
},
{
"source": "cna@vuldb.com",
"tags": [
"Vendor Advisory"
],
"url": "https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383"
},
{
"source": "cna@vuldb.com",
"tags": [
"Permissions Required"
],
"url": "https://vuldb.com/?ctiid.275919"
},
{
"source": "cna@vuldb.com",
"tags": [
"Third Party Advisory"
],
"url": "https://vuldb.com/?id.275919"
},
{
"source": "cna@vuldb.com",
"tags": [
"Third Party Advisory"
],
"url": "https://vuldb.com/?submit.397274"
},
{
"source": "cna@vuldb.com",
"tags": [
"Product"
],
"url": "https://www.dlink.com/"
}
],
"sourceIdentifier": "cna@vuldb.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-77"
}
],
"source": "cna@vuldb.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-78"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2024-8211
Vulnerability from fkie_nvd - Published: 2024-08-27 19:15 - Updated: 2024-08-29 15:54
Severity ?
6.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
A vulnerability was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. It has been declared as critical. This vulnerability affects the function cgi_FMT_Std2R1_DiskMGR of the file /cgi-bin/hd_config.cgi. The manipulation of the argument f_newly_dev leads to command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced.
References
| URL | Tags | ||
|---|---|---|---|
| cna@vuldb.com | https://github.com/BuaaIOTTeam/Iot_Dlink_NAS/blob/main/DNS_cgi_FMT_Std2R1_DiskMGR.md | Exploit, Third Party Advisory | |
| cna@vuldb.com | https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383 | Vendor Advisory | |
| cna@vuldb.com | https://vuldb.com/?ctiid.275920 | Permissions Required | |
| cna@vuldb.com | https://vuldb.com/?id.275920 | Third Party Advisory | |
| cna@vuldb.com | https://vuldb.com/?submit.397275 | Issue Tracking | |
| cna@vuldb.com | https://www.dlink.com/ | Product |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| dlink | dns-315l_firmware | - | |
| dlink | dns-315l | - | |
| dlink | dns-320lw_firmware | - | |
| dlink | dns-320lw | - | |
| dlink | dns-1550-04_firmware | - | |
| dlink | dns-1550-04 | - | |
| dlink | dns-1200-05_firmware | - | |
| dlink | dns-1200-05 | - | |
| dlink | dns-1100-4_firmware | - | |
| dlink | dns-1100-4 | - | |
| dlink | dns-726-4_firmware | - | |
| dlink | dns-726-4 | - | |
| dlink | dns-345_firmware | - | |
| dlink | dns-345 | - | |
| dlink | dns-343_firmware | - | |
| dlink | dns-343 | - | |
| dlink | dns-340l_firmware | - | |
| dlink | dns-340l | - | |
| dlink | dnr-326_firmware | - | |
| dlink | dnr-326 | - | |
| dlink | dns-327l_firmware | - | |
| dlink | dns-327l | - | |
| dlink | dns-326_firmware | - | |
| dlink | dns-326 | - | |
| dlink | dns-325_firmware | - | |
| dlink | dns-325 | - | |
| dlink | dns-323_firmware | - | |
| dlink | dns-323 | - | |
| dlink | dnr-322l_firmware | - | |
| dlink | dnr-322l | - | |
| dlink | dns-321_firmware | - | |
| dlink | dns-321 | - | |
| dlink | dns-320l_firmware | - | |
| dlink | dns-320l | - | |
| dlink | dns-320_firmware | - | |
| dlink | dns-320 | - | |
| dlink | dnr-202l_firmware | - | |
| dlink | dnr-202l | - | |
| dlink | dns-120_firmware | - | |
| dlink | dns-120 | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-315l_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "A8CFCD7B-EFFB-4FAB-9537-46AC7B567126",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-315l:-:*:*:*:*:*:*:*",
"matchCriteriaId": "03C5CED7-55A7-4026-95CD-A2ADB5853823",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-320lw_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "8FE78C5B-2A98-47EE-BF67-CF58AFE50A37",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-320lw:-:*:*:*:*:*:*:*",
"matchCriteriaId": "45467ABC-BAA9-4EB0-9F97-92E31854CA8B",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-1550-04_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "B2C1EF70-AD9B-48D7-8DF6-A6416C517F12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-1550-04:-:*:*:*:*:*:*:*",
"matchCriteriaId": "E691E775-382C-4BA9-AA44-FBC3148D3E54",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-1200-05_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "42DA6DEB-3578-44A5-916F-1628141F0DDE",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-1200-05:-:*:*:*:*:*:*:*",
"matchCriteriaId": "D042C75D-6731-46B2-B11E-A009B9029B3F",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-1100-4_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "7CAFE1E3-B705-4CF1-AEB9-A474432B6D34",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-1100-4:-:*:*:*:*:*:*:*",
"matchCriteriaId": "D5D08ED7-3E7F-4D30-890E-6535F6C34682",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-726-4_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "2A74D270-9076-474D-A06F-C915FCEA2164",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-726-4:-:*:*:*:*:*:*:*",
"matchCriteriaId": "75E5010F-21BA-4B6B-B00C-2688268FD67B",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-345_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "12C5E2D7-018E-4ED1-92C7-B5B1D8CC6990",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-345:-:*:*:*:*:*:*:*",
"matchCriteriaId": "C7E56821-7EA0-4CA1-BA17-7FD4ED9F794C",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-343_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "DD656642-EDD4-4EB2-81AB-04207BC14196",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-343:-:*:*:*:*:*:*:*",
"matchCriteriaId": "F968791D-D3BD-442C-818E-4E878B12776D",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-340l_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "39FF9666-8493-4A36-A199-1190AD8FAF3D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-340l:-:*:*:*:*:*:*:*",
"matchCriteriaId": "0646B20C-5642-4CEA-A96C-7E82AD94A281",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dnr-326_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "816E5F34-CE76-49E5-91F3-8CC84C561558",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dnr-326:-:*:*:*:*:*:*:*",
"matchCriteriaId": "33CB308B-CF82-4E40-B2DC-23EBD48CD130",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-327l_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "172D5EFF-E0DF-4A99-8499-71450A46A86C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-327l:-:*:*:*:*:*:*:*",
"matchCriteriaId": "DB305B29-7F89-4A52-9ECF-3DB0BDD2350D",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-326_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "B5E6F048-D865-4378-87C7-B0E528134276",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-326:-:*:*:*:*:*:*:*",
"matchCriteriaId": "D26F4F77-A6E3-4D7D-A781-BEB5FF7BC44F",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-325_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "16954393-3449-438A-978C-265EE3A35FF8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-325:-:*:*:*:*:*:*:*",
"matchCriteriaId": "8042169D-D9FA-4BD6-90D1-E0DE269E42B9",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-323_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "641CB5F1-3DE0-480B-95A4-FC42A8FF3C97",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-323:-:*:*:*:*:*:*:*",
"matchCriteriaId": "94ED678A-AB4C-4637-B0D8-C232A0BB5D5F",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dnr-322l_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "AD3AD5EE-8E1E-4336-A1AB-AB028CC71286",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dnr-322l:-:*:*:*:*:*:*:*",
"matchCriteriaId": "5DAF62A4-2429-4B89-8FAD-8B23EF15E050",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-321_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "DC28053F-88A9-4CA1-A2A2-CC90FEEA68FC",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-321:-:*:*:*:*:*:*:*",
"matchCriteriaId": "2A278BC9-6197-43D9-93C2-3DF760856FB7",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-320l_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "4599D769-0210-4D49-9896-9AD1376A037E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-320l:-:*:*:*:*:*:*:*",
"matchCriteriaId": "6C677E53-6885-4EC4-A7CC-E24E8F445F59",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-320_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "4452F9A4-3A0A-4773-9818-04C94CF9F8E7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-320:-:*:*:*:*:*:*:*",
"matchCriteriaId": "A0F5355E-F68D-49FE-9793-1FD9BD9AF3E1",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dnr-202l_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "96195649-172A-4C21-AA15-7B05F86C5CEC",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dnr-202l:-:*:*:*:*:*:*:*",
"matchCriteriaId": "07A92F2C-16FD-4A53-8066-83FEC2818DF5",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-120_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "C44BE2C6-BF3E-43C3-B32F-2DCE756F94BC",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-120:-:*:*:*:*:*:*:*",
"matchCriteriaId": "6E161E54-2FE9-4359-9B2D-8700D00DE8E7",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [
{
"sourceIdentifier": "cna@vuldb.com",
"tags": [
"unsupported-when-assigned"
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. It has been declared as critical. This vulnerability affects the function cgi_FMT_Std2R1_DiskMGR of the file /cgi-bin/hd_config.cgi. The manipulation of the argument f_newly_dev leads to command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced."
},
{
"lang": "es",
"value": "Se encontr\u00f3 una vulnerabilidad en D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS- 326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 y DNS-1550-04 hasta 20240814. ha sido declarado cr\u00edtico. Esta vulnerabilidad afecta a la funci\u00f3n cgi_FMT_Std2R1_DiskMGR del archivo /cgi-bin/hd_config.cgi. La manipulaci\u00f3n del argumento f_newly_dev conduce a la inyecci\u00f3n de comandos. El ataque se puede iniciar de forma remota. El exploit ha sido divulgado al p\u00fablico y puede utilizarse. NOTA: Esta vulnerabilidad solo afecta a productos que ya no son compatibles con el fabricante. NOTA: Se contact\u00f3 primeramente con el proveedor y se confirm\u00f3 que el producto ha llegado al final de su vida \u00fatil. Deber\u00eda retirarse y reemplazarse."
}
],
"id": "CVE-2024-8211",
"lastModified": "2024-08-29T15:54:56.390",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "cna@vuldb.com",
"type": "Secondary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.4,
"source": "cna@vuldb.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "cna@vuldb.com",
"type": "Secondary"
}
]
},
"published": "2024-08-27T19:15:18.553",
"references": [
{
"source": "cna@vuldb.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/BuaaIOTTeam/Iot_Dlink_NAS/blob/main/DNS_cgi_FMT_Std2R1_DiskMGR.md"
},
{
"source": "cna@vuldb.com",
"tags": [
"Vendor Advisory"
],
"url": "https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383"
},
{
"source": "cna@vuldb.com",
"tags": [
"Permissions Required"
],
"url": "https://vuldb.com/?ctiid.275920"
},
{
"source": "cna@vuldb.com",
"tags": [
"Third Party Advisory"
],
"url": "https://vuldb.com/?id.275920"
},
{
"source": "cna@vuldb.com",
"tags": [
"Issue Tracking"
],
"url": "https://vuldb.com/?submit.397275"
},
{
"source": "cna@vuldb.com",
"tags": [
"Product"
],
"url": "https://www.dlink.com/"
}
],
"sourceIdentifier": "cna@vuldb.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-77"
}
],
"source": "cna@vuldb.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-78"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2024-8134
Vulnerability from fkie_nvd - Published: 2024-08-24 20:15 - Updated: 2024-08-27 15:39
Severity ?
6.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
A vulnerability was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. It has been rated as critical. This issue affects the function cgi_FMT_Std2R5_1st_DiskMGR of the file /cgi-bin/hd_config.cgi of the component HTTP POST Request Handler. The manipulation of the argument f_source_dev leads to command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced.
References
| URL | Tags | ||
|---|---|---|---|
| cna@vuldb.com | https://github.com/BuaaIOTTeam/Iot_Dlink_NAS/blob/main/DNS_cgi_FMT_Std2R5_1st_DiskMGR.md | Exploit, Third Party Advisory | |
| cna@vuldb.com | https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383 | Vendor Advisory | |
| cna@vuldb.com | https://vuldb.com/?ctiid.275705 | Permissions Required, VDB Entry | |
| cna@vuldb.com | https://vuldb.com/?id.275705 | Permissions Required, Third Party Advisory, VDB Entry | |
| cna@vuldb.com | https://vuldb.com/?submit.396296 | Third Party Advisory, VDB Entry | |
| cna@vuldb.com | https://www.dlink.com/ | Product |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| dlink | dns-1550-04_firmware | - | |
| dlink | dns-1550-04 | - | |
| dlink | dns-1200-05_firmware | - | |
| dlink | dns-1200-05 | - | |
| dlink | dns-1100-4_firmware | - | |
| dlink | dns-1100-4 | - | |
| dlink | dns-726-4_firmware | - | |
| dlink | dns-726-4 | - | |
| dlink | dns-345_firmware | - | |
| dlink | dns-345 | - | |
| dlink | dns-343_firmware | - | |
| dlink | dns-343 | - | |
| dlink | dns-340l_firmware | - | |
| dlink | dns-340l | - | |
| dlink | dnr-326_firmware | - | |
| dlink | dnr-326 | - | |
| dlink | dns-327l_firmware | - | |
| dlink | dns-327l | - | |
| dlink | dns-326_firmware | - | |
| dlink | dns-326 | - | |
| dlink | dns-325_firmware | - | |
| dlink | dns-325 | - | |
| dlink | dns-323_firmware | - | |
| dlink | dns-323 | - | |
| dlink | dnr-322l_firmware | - | |
| dlink | dnr-322l | - | |
| dlink | dns-321_firmware | - | |
| dlink | dns-321 | - | |
| dlink | dns-320lw_firmware | - | |
| dlink | dns-320lw | - | |
| dlink | dns-320l_firmware | - | |
| dlink | dns-320l | - | |
| dlink | dns-320_firmware | - | |
| dlink | dns-320 | - | |
| dlink | dns-315l_firmware | - | |
| dlink | dns-315l | - | |
| dlink | dnr-202l_firmware | - | |
| dlink | dnr-202l | - | |
| dlink | dns-120_firmware | - | |
| dlink | dns-120 | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-1550-04_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "B2C1EF70-AD9B-48D7-8DF6-A6416C517F12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-1550-04:-:*:*:*:*:*:*:*",
"matchCriteriaId": "E691E775-382C-4BA9-AA44-FBC3148D3E54",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-1200-05_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "42DA6DEB-3578-44A5-916F-1628141F0DDE",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-1200-05:-:*:*:*:*:*:*:*",
"matchCriteriaId": "D042C75D-6731-46B2-B11E-A009B9029B3F",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-1100-4_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "7CAFE1E3-B705-4CF1-AEB9-A474432B6D34",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-1100-4:-:*:*:*:*:*:*:*",
"matchCriteriaId": "D5D08ED7-3E7F-4D30-890E-6535F6C34682",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-726-4_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "2A74D270-9076-474D-A06F-C915FCEA2164",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-726-4:-:*:*:*:*:*:*:*",
"matchCriteriaId": "75E5010F-21BA-4B6B-B00C-2688268FD67B",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-345_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "12C5E2D7-018E-4ED1-92C7-B5B1D8CC6990",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-345:-:*:*:*:*:*:*:*",
"matchCriteriaId": "C7E56821-7EA0-4CA1-BA17-7FD4ED9F794C",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-343_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "DD656642-EDD4-4EB2-81AB-04207BC14196",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-343:-:*:*:*:*:*:*:*",
"matchCriteriaId": "F968791D-D3BD-442C-818E-4E878B12776D",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-340l_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "39FF9666-8493-4A36-A199-1190AD8FAF3D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-340l:-:*:*:*:*:*:*:*",
"matchCriteriaId": "0646B20C-5642-4CEA-A96C-7E82AD94A281",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dnr-326_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "816E5F34-CE76-49E5-91F3-8CC84C561558",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dnr-326:-:*:*:*:*:*:*:*",
"matchCriteriaId": "33CB308B-CF82-4E40-B2DC-23EBD48CD130",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-327l_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "172D5EFF-E0DF-4A99-8499-71450A46A86C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-327l:-:*:*:*:*:*:*:*",
"matchCriteriaId": "DB305B29-7F89-4A52-9ECF-3DB0BDD2350D",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-326_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "B5E6F048-D865-4378-87C7-B0E528134276",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-326:-:*:*:*:*:*:*:*",
"matchCriteriaId": "D26F4F77-A6E3-4D7D-A781-BEB5FF7BC44F",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-325_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "16954393-3449-438A-978C-265EE3A35FF8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-325:-:*:*:*:*:*:*:*",
"matchCriteriaId": "8042169D-D9FA-4BD6-90D1-E0DE269E42B9",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-323_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "641CB5F1-3DE0-480B-95A4-FC42A8FF3C97",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-323:-:*:*:*:*:*:*:*",
"matchCriteriaId": "94ED678A-AB4C-4637-B0D8-C232A0BB5D5F",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dnr-322l_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "AD3AD5EE-8E1E-4336-A1AB-AB028CC71286",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dnr-322l:-:*:*:*:*:*:*:*",
"matchCriteriaId": "5DAF62A4-2429-4B89-8FAD-8B23EF15E050",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-321_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "DC28053F-88A9-4CA1-A2A2-CC90FEEA68FC",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-321:-:*:*:*:*:*:*:*",
"matchCriteriaId": "2A278BC9-6197-43D9-93C2-3DF760856FB7",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-320lw_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "8FE78C5B-2A98-47EE-BF67-CF58AFE50A37",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-320lw:-:*:*:*:*:*:*:*",
"matchCriteriaId": "45467ABC-BAA9-4EB0-9F97-92E31854CA8B",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-320l_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "4599D769-0210-4D49-9896-9AD1376A037E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-320l:-:*:*:*:*:*:*:*",
"matchCriteriaId": "6C677E53-6885-4EC4-A7CC-E24E8F445F59",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-320_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "4452F9A4-3A0A-4773-9818-04C94CF9F8E7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-320:-:*:*:*:*:*:*:*",
"matchCriteriaId": "A0F5355E-F68D-49FE-9793-1FD9BD9AF3E1",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-315l_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "A8CFCD7B-EFFB-4FAB-9537-46AC7B567126",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-315l:-:*:*:*:*:*:*:*",
"matchCriteriaId": "03C5CED7-55A7-4026-95CD-A2ADB5853823",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dnr-202l_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "96195649-172A-4C21-AA15-7B05F86C5CEC",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dnr-202l:-:*:*:*:*:*:*:*",
"matchCriteriaId": "07A92F2C-16FD-4A53-8066-83FEC2818DF5",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-120_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "C44BE2C6-BF3E-43C3-B32F-2DCE756F94BC",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-120:-:*:*:*:*:*:*:*",
"matchCriteriaId": "6E161E54-2FE9-4359-9B2D-8700D00DE8E7",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [
{
"sourceIdentifier": "cna@vuldb.com",
"tags": [
"unsupported-when-assigned"
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. It has been rated as critical. This issue affects the function cgi_FMT_Std2R5_1st_DiskMGR of the file /cgi-bin/hd_config.cgi of the component HTTP POST Request Handler. The manipulation of the argument f_source_dev leads to command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced."
},
{
"lang": "es",
"value": "Se encontr\u00f3 una vulnerabilidad en D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS- 326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 y DNS-1550-04 hasta 20240814. Ha sido calificada como cr\u00edtica. Este problema afecta la funci\u00f3n cgi_FMT_Std2R5_1st_DiskMGR del archivo /cgi-bin/hd_config.cgi del componente HTTP POST Request Handler. La manipulaci\u00f3n del argumento f_source_dev conduce a la inyecci\u00f3n de comandos. El ataque puede iniciarse de forma remota. El exploit ha sido divulgado al p\u00fablico y puede utilizarse. NOTA: Esta vulnerabilidad solo afecta a productos que ya no son compatibles con el fabricante. NOTA: Se contact\u00f3 primeramente con el proveedor y se confirm\u00f3 que el producto ha llegado al final de su vida \u00fatil. Deber\u00eda retirarse y reemplazarse."
}
],
"id": "CVE-2024-8134",
"lastModified": "2024-08-27T15:39:53.537",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "cna@vuldb.com",
"type": "Secondary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.4,
"source": "cna@vuldb.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "cna@vuldb.com",
"type": "Secondary"
}
]
},
"published": "2024-08-24T20:15:04.503",
"references": [
{
"source": "cna@vuldb.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/BuaaIOTTeam/Iot_Dlink_NAS/blob/main/DNS_cgi_FMT_Std2R5_1st_DiskMGR.md"
},
{
"source": "cna@vuldb.com",
"tags": [
"Vendor Advisory"
],
"url": "https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383"
},
{
"source": "cna@vuldb.com",
"tags": [
"Permissions Required",
"VDB Entry"
],
"url": "https://vuldb.com/?ctiid.275705"
},
{
"source": "cna@vuldb.com",
"tags": [
"Permissions Required",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://vuldb.com/?id.275705"
},
{
"source": "cna@vuldb.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://vuldb.com/?submit.396296"
},
{
"source": "cna@vuldb.com",
"tags": [
"Product"
],
"url": "https://www.dlink.com/"
}
],
"sourceIdentifier": "cna@vuldb.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-77"
}
],
"source": "cna@vuldb.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-78"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2024-8133
Vulnerability from fkie_nvd - Published: 2024-08-24 19:15 - Updated: 2024-08-27 15:35
Severity ?
6.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
A vulnerability was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. It has been declared as critical. This vulnerability affects the function cgi_FMT_R5_SpareDsk_DiskMGR of the file /cgi-bin/hd_config.cgi of the component HTTP POST Request Handler. The manipulation of the argument f_source_dev leads to command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced.
References
| URL | Tags | ||
|---|---|---|---|
| cna@vuldb.com | https://github.com/BuaaIOTTeam/Iot_Dlink_NAS/blob/main/DNS_cgi_FMT_R5_SpareDsk_DiskMGR.md | Exploit, Third Party Advisory | |
| cna@vuldb.com | https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383 | Vendor Advisory | |
| cna@vuldb.com | https://vuldb.com/?ctiid.275704 | Permissions Required, VDB Entry | |
| cna@vuldb.com | https://vuldb.com/?id.275704 | Permissions Required, Third Party Advisory, VDB Entry | |
| cna@vuldb.com | https://vuldb.com/?submit.396295 | Third Party Advisory, VDB Entry | |
| cna@vuldb.com | https://www.dlink.com/ | Product |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| dlink | dns-1550-04_firmware | - | |
| dlink | dns-1550-04 | - | |
| dlink | dns-1200-05_firmware | - | |
| dlink | dns-1200-05 | - | |
| dlink | dns-1100-4_firmware | - | |
| dlink | dns-1100-4 | - | |
| dlink | dns-726-4_firmware | - | |
| dlink | dns-726-4 | - | |
| dlink | dns-345_firmware | - | |
| dlink | dns-345 | - | |
| dlink | dns-343_firmware | - | |
| dlink | dns-343 | - | |
| dlink | dns-340l_firmware | - | |
| dlink | dns-340l | - | |
| dlink | dnr-326_firmware | - | |
| dlink | dnr-326 | - | |
| dlink | dns-327l_firmware | - | |
| dlink | dns-327l | - | |
| dlink | dns-326_firmware | - | |
| dlink | dns-326 | - | |
| dlink | dns-325_firmware | - | |
| dlink | dns-325 | - | |
| dlink | dns-323_firmware | - | |
| dlink | dns-323 | - | |
| dlink | dnr-322l_firmware | - | |
| dlink | dnr-322l | - | |
| dlink | dns-321_firmware | - | |
| dlink | dns-321 | - | |
| dlink | dns-320lw_firmware | - | |
| dlink | dns-320lw | - | |
| dlink | dns-320l_firmware | - | |
| dlink | dns-320l | - | |
| dlink | dns-320_firmware | - | |
| dlink | dns-320 | - | |
| dlink | dns-315l_firmware | - | |
| dlink | dns-315l | - | |
| dlink | dnr-202l_firmware | - | |
| dlink | dnr-202l | - | |
| dlink | dns-120_firmware | - | |
| dlink | dns-120 | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-1550-04_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "B2C1EF70-AD9B-48D7-8DF6-A6416C517F12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-1550-04:-:*:*:*:*:*:*:*",
"matchCriteriaId": "E691E775-382C-4BA9-AA44-FBC3148D3E54",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-1200-05_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "42DA6DEB-3578-44A5-916F-1628141F0DDE",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-1200-05:-:*:*:*:*:*:*:*",
"matchCriteriaId": "D042C75D-6731-46B2-B11E-A009B9029B3F",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-1100-4_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "7CAFE1E3-B705-4CF1-AEB9-A474432B6D34",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-1100-4:-:*:*:*:*:*:*:*",
"matchCriteriaId": "D5D08ED7-3E7F-4D30-890E-6535F6C34682",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-726-4_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "2A74D270-9076-474D-A06F-C915FCEA2164",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-726-4:-:*:*:*:*:*:*:*",
"matchCriteriaId": "75E5010F-21BA-4B6B-B00C-2688268FD67B",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-345_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "12C5E2D7-018E-4ED1-92C7-B5B1D8CC6990",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-345:-:*:*:*:*:*:*:*",
"matchCriteriaId": "C7E56821-7EA0-4CA1-BA17-7FD4ED9F794C",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-343_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "DD656642-EDD4-4EB2-81AB-04207BC14196",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-343:-:*:*:*:*:*:*:*",
"matchCriteriaId": "F968791D-D3BD-442C-818E-4E878B12776D",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-340l_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "39FF9666-8493-4A36-A199-1190AD8FAF3D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-340l:-:*:*:*:*:*:*:*",
"matchCriteriaId": "0646B20C-5642-4CEA-A96C-7E82AD94A281",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dnr-326_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "816E5F34-CE76-49E5-91F3-8CC84C561558",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dnr-326:-:*:*:*:*:*:*:*",
"matchCriteriaId": "33CB308B-CF82-4E40-B2DC-23EBD48CD130",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-327l_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "172D5EFF-E0DF-4A99-8499-71450A46A86C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-327l:-:*:*:*:*:*:*:*",
"matchCriteriaId": "DB305B29-7F89-4A52-9ECF-3DB0BDD2350D",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-326_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "B5E6F048-D865-4378-87C7-B0E528134276",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-326:-:*:*:*:*:*:*:*",
"matchCriteriaId": "D26F4F77-A6E3-4D7D-A781-BEB5FF7BC44F",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-325_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "16954393-3449-438A-978C-265EE3A35FF8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-325:-:*:*:*:*:*:*:*",
"matchCriteriaId": "8042169D-D9FA-4BD6-90D1-E0DE269E42B9",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-323_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "641CB5F1-3DE0-480B-95A4-FC42A8FF3C97",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-323:-:*:*:*:*:*:*:*",
"matchCriteriaId": "94ED678A-AB4C-4637-B0D8-C232A0BB5D5F",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dnr-322l_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "AD3AD5EE-8E1E-4336-A1AB-AB028CC71286",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dnr-322l:-:*:*:*:*:*:*:*",
"matchCriteriaId": "5DAF62A4-2429-4B89-8FAD-8B23EF15E050",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-321_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "DC28053F-88A9-4CA1-A2A2-CC90FEEA68FC",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-321:-:*:*:*:*:*:*:*",
"matchCriteriaId": "2A278BC9-6197-43D9-93C2-3DF760856FB7",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-320lw_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "8FE78C5B-2A98-47EE-BF67-CF58AFE50A37",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-320lw:-:*:*:*:*:*:*:*",
"matchCriteriaId": "45467ABC-BAA9-4EB0-9F97-92E31854CA8B",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-320l_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "4599D769-0210-4D49-9896-9AD1376A037E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-320l:-:*:*:*:*:*:*:*",
"matchCriteriaId": "6C677E53-6885-4EC4-A7CC-E24E8F445F59",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-320_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "4452F9A4-3A0A-4773-9818-04C94CF9F8E7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-320:-:*:*:*:*:*:*:*",
"matchCriteriaId": "A0F5355E-F68D-49FE-9793-1FD9BD9AF3E1",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-315l_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "A8CFCD7B-EFFB-4FAB-9537-46AC7B567126",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-315l:-:*:*:*:*:*:*:*",
"matchCriteriaId": "03C5CED7-55A7-4026-95CD-A2ADB5853823",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dnr-202l_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "96195649-172A-4C21-AA15-7B05F86C5CEC",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dnr-202l:-:*:*:*:*:*:*:*",
"matchCriteriaId": "07A92F2C-16FD-4A53-8066-83FEC2818DF5",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-120_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "C44BE2C6-BF3E-43C3-B32F-2DCE756F94BC",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-120:-:*:*:*:*:*:*:*",
"matchCriteriaId": "6E161E54-2FE9-4359-9B2D-8700D00DE8E7",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [
{
"sourceIdentifier": "cna@vuldb.com",
"tags": [
"unsupported-when-assigned"
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. It has been declared as critical. This vulnerability affects the function cgi_FMT_R5_SpareDsk_DiskMGR of the file /cgi-bin/hd_config.cgi of the component HTTP POST Request Handler. The manipulation of the argument f_source_dev leads to command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced."
},
{
"lang": "es",
"value": "Se encontr\u00f3 una vulnerabilidad en D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS- 326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 y DNS-1550-04 hasta 20240814. Ha sido declarada cr\u00edtica. Esta vulnerabilidad afecta a la funci\u00f3n cgi_FMT_R5_SpareDsk_DiskMGR del archivo /cgi-bin/hd_config.cgi del componente HTTP POST Request Handler. La manipulaci\u00f3n del argumento f_source_dev conduce a la inyecci\u00f3n de comandos. El ataque se puede iniciar de forma remota. El exploit ha sido divulgado al p\u00fablico y puede utilizarse. NOTA: Esta vulnerabilidad solo afecta a productos que ya no son compatibles con el fabricante. NOTA: Se contact\u00f3 primeramente con el proveedor y se confirm\u00f3 que el producto ha llegado al final de su vida \u00fatil. Deber\u00eda retirarse y reemplazarse."
}
],
"id": "CVE-2024-8133",
"lastModified": "2024-08-27T15:35:20.063",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "cna@vuldb.com",
"type": "Secondary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.4,
"source": "cna@vuldb.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "cna@vuldb.com",
"type": "Secondary"
}
]
},
"published": "2024-08-24T19:15:05.963",
"references": [
{
"source": "cna@vuldb.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/BuaaIOTTeam/Iot_Dlink_NAS/blob/main/DNS_cgi_FMT_R5_SpareDsk_DiskMGR.md"
},
{
"source": "cna@vuldb.com",
"tags": [
"Vendor Advisory"
],
"url": "https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383"
},
{
"source": "cna@vuldb.com",
"tags": [
"Permissions Required",
"VDB Entry"
],
"url": "https://vuldb.com/?ctiid.275704"
},
{
"source": "cna@vuldb.com",
"tags": [
"Permissions Required",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://vuldb.com/?id.275704"
},
{
"source": "cna@vuldb.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://vuldb.com/?submit.396295"
},
{
"source": "cna@vuldb.com",
"tags": [
"Product"
],
"url": "https://www.dlink.com/"
}
],
"sourceIdentifier": "cna@vuldb.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-77"
}
],
"source": "cna@vuldb.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-78"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2024-8131
Vulnerability from fkie_nvd - Published: 2024-08-24 18:15 - Updated: 2024-08-27 15:34
Severity ?
6.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
A vulnerability was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814 and classified as critical. Affected by this issue is the function module_enable_disable of the file /cgi-bin/apkg_mgr.cgi of the component HTTP POST Request Handler. The manipulation of the argument f_module_name leads to command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced.
References
| URL | Tags | ||
|---|---|---|---|
| cna@vuldb.com | https://github.com/BuaaIOTTeam/Iot_Dlink_NAS/blob/main/DNS_module_enable_disable.md | Exploit, Third Party Advisory | |
| cna@vuldb.com | https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383 | Vendor Advisory | |
| cna@vuldb.com | https://vuldb.com/?ctiid.275702 | Permissions Required, VDB Entry | |
| cna@vuldb.com | https://vuldb.com/?id.275702 | Third Party Advisory, VDB Entry | |
| cna@vuldb.com | https://vuldb.com/?submit.396292 | Third Party Advisory, VDB Entry | |
| cna@vuldb.com | https://www.dlink.com/ | Product |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| dlink | dns-1550-04_firmware | - | |
| dlink | dns-1550-04 | - | |
| dlink | dns-1200-05_firmware | - | |
| dlink | dns-1200-05 | - | |
| dlink | dns-1100-4_firmware | - | |
| dlink | dns-1100-4 | - | |
| dlink | dns-726-4_firmware | - | |
| dlink | dns-726-4 | - | |
| dlink | dns-345_firmware | - | |
| dlink | dns-345 | - | |
| dlink | dns-343_firmware | - | |
| dlink | dns-343 | - | |
| dlink | dns-340l_firmware | - | |
| dlink | dns-340l | - | |
| dlink | dnr-326_firmware | - | |
| dlink | dnr-326 | - | |
| dlink | dns-327l_firmware | - | |
| dlink | dns-327l | - | |
| dlink | dns-326_firmware | - | |
| dlink | dns-326 | - | |
| dlink | dns-325_firmware | - | |
| dlink | dns-325 | - | |
| dlink | dns-323_firmware | - | |
| dlink | dns-323 | - | |
| dlink | dnr-322l_firmware | - | |
| dlink | dnr-322l | - | |
| dlink | dns-321_firmware | - | |
| dlink | dns-321 | - | |
| dlink | dns-320lw_firmware | - | |
| dlink | dns-320lw | - | |
| dlink | dns-320l_firmware | - | |
| dlink | dns-320l | - | |
| dlink | dns-320_firmware | - | |
| dlink | dns-320 | - | |
| dlink | dns-315l_firmware | - | |
| dlink | dns-315l | - | |
| dlink | dnr-202l_firmware | - | |
| dlink | dnr-202l | - | |
| dlink | dns-120_firmware | - | |
| dlink | dns-120 | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-1550-04_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "B2C1EF70-AD9B-48D7-8DF6-A6416C517F12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-1550-04:-:*:*:*:*:*:*:*",
"matchCriteriaId": "E691E775-382C-4BA9-AA44-FBC3148D3E54",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-1200-05_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "42DA6DEB-3578-44A5-916F-1628141F0DDE",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-1200-05:-:*:*:*:*:*:*:*",
"matchCriteriaId": "D042C75D-6731-46B2-B11E-A009B9029B3F",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-1100-4_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "7CAFE1E3-B705-4CF1-AEB9-A474432B6D34",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-1100-4:-:*:*:*:*:*:*:*",
"matchCriteriaId": "D5D08ED7-3E7F-4D30-890E-6535F6C34682",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-726-4_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "2A74D270-9076-474D-A06F-C915FCEA2164",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-726-4:-:*:*:*:*:*:*:*",
"matchCriteriaId": "75E5010F-21BA-4B6B-B00C-2688268FD67B",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-345_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "12C5E2D7-018E-4ED1-92C7-B5B1D8CC6990",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-345:-:*:*:*:*:*:*:*",
"matchCriteriaId": "C7E56821-7EA0-4CA1-BA17-7FD4ED9F794C",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-343_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "DD656642-EDD4-4EB2-81AB-04207BC14196",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-343:-:*:*:*:*:*:*:*",
"matchCriteriaId": "F968791D-D3BD-442C-818E-4E878B12776D",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-340l_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "39FF9666-8493-4A36-A199-1190AD8FAF3D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-340l:-:*:*:*:*:*:*:*",
"matchCriteriaId": "0646B20C-5642-4CEA-A96C-7E82AD94A281",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dnr-326_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "816E5F34-CE76-49E5-91F3-8CC84C561558",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dnr-326:-:*:*:*:*:*:*:*",
"matchCriteriaId": "33CB308B-CF82-4E40-B2DC-23EBD48CD130",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-327l_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "172D5EFF-E0DF-4A99-8499-71450A46A86C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-327l:-:*:*:*:*:*:*:*",
"matchCriteriaId": "DB305B29-7F89-4A52-9ECF-3DB0BDD2350D",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-326_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "B5E6F048-D865-4378-87C7-B0E528134276",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-326:-:*:*:*:*:*:*:*",
"matchCriteriaId": "D26F4F77-A6E3-4D7D-A781-BEB5FF7BC44F",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-325_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "16954393-3449-438A-978C-265EE3A35FF8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-325:-:*:*:*:*:*:*:*",
"matchCriteriaId": "8042169D-D9FA-4BD6-90D1-E0DE269E42B9",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-323_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "641CB5F1-3DE0-480B-95A4-FC42A8FF3C97",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-323:-:*:*:*:*:*:*:*",
"matchCriteriaId": "94ED678A-AB4C-4637-B0D8-C232A0BB5D5F",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dnr-322l_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "AD3AD5EE-8E1E-4336-A1AB-AB028CC71286",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dnr-322l:-:*:*:*:*:*:*:*",
"matchCriteriaId": "5DAF62A4-2429-4B89-8FAD-8B23EF15E050",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-321_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "DC28053F-88A9-4CA1-A2A2-CC90FEEA68FC",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-321:-:*:*:*:*:*:*:*",
"matchCriteriaId": "2A278BC9-6197-43D9-93C2-3DF760856FB7",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-320lw_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "8FE78C5B-2A98-47EE-BF67-CF58AFE50A37",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-320lw:-:*:*:*:*:*:*:*",
"matchCriteriaId": "45467ABC-BAA9-4EB0-9F97-92E31854CA8B",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-320l_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "4599D769-0210-4D49-9896-9AD1376A037E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-320l:-:*:*:*:*:*:*:*",
"matchCriteriaId": "6C677E53-6885-4EC4-A7CC-E24E8F445F59",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-320_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "4452F9A4-3A0A-4773-9818-04C94CF9F8E7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-320:-:*:*:*:*:*:*:*",
"matchCriteriaId": "A0F5355E-F68D-49FE-9793-1FD9BD9AF3E1",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-315l_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "A8CFCD7B-EFFB-4FAB-9537-46AC7B567126",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-315l:-:*:*:*:*:*:*:*",
"matchCriteriaId": "03C5CED7-55A7-4026-95CD-A2ADB5853823",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dnr-202l_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "96195649-172A-4C21-AA15-7B05F86C5CEC",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dnr-202l:-:*:*:*:*:*:*:*",
"matchCriteriaId": "07A92F2C-16FD-4A53-8066-83FEC2818DF5",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-120_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "C44BE2C6-BF3E-43C3-B32F-2DCE756F94BC",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-120:-:*:*:*:*:*:*:*",
"matchCriteriaId": "6E161E54-2FE9-4359-9B2D-8700D00DE8E7",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [
{
"sourceIdentifier": "cna@vuldb.com",
"tags": [
"unsupported-when-assigned"
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814 and classified as critical. Affected by this issue is the function module_enable_disable of the file /cgi-bin/apkg_mgr.cgi of the component HTTP POST Request Handler. The manipulation of the argument f_module_name leads to command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced."
},
{
"lang": "es",
"value": "Se encontr\u00f3 una vulnerabilidad en D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS- 326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 y DNS-1550-04 hasta 20240814 y clasificadas como cr\u00edticas. La funci\u00f3n module_enable_disable del archivo /cgi-bin/apkg_mgr.cgi del componente HTTP POST Request Handler es afectada por esta vulnerabilidad. La manipulaci\u00f3n del argumento f_module_name conduce a la inyecci\u00f3n de comandos. El ataque puede lanzarse de forma remota. El exploit ha sido divulgado al p\u00fablico y puede utilizarse. NOTA: Esta vulnerabilidad solo afecta a productos que ya no son compatibles con el fabricante. NOTA: Se contact\u00f3 primeramente con el proveedor y se confirm\u00f3 que el producto ha llegado al final de su vida \u00fatil. Deber\u00eda retirarse y reemplazarse."
}
],
"id": "CVE-2024-8131",
"lastModified": "2024-08-27T15:34:36.710",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "cna@vuldb.com",
"type": "Secondary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.4,
"source": "cna@vuldb.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "cna@vuldb.com",
"type": "Secondary"
}
]
},
"published": "2024-08-24T18:15:04.420",
"references": [
{
"source": "cna@vuldb.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/BuaaIOTTeam/Iot_Dlink_NAS/blob/main/DNS_module_enable_disable.md"
},
{
"source": "cna@vuldb.com",
"tags": [
"Vendor Advisory"
],
"url": "https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383"
},
{
"source": "cna@vuldb.com",
"tags": [
"Permissions Required",
"VDB Entry"
],
"url": "https://vuldb.com/?ctiid.275702"
},
{
"source": "cna@vuldb.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://vuldb.com/?id.275702"
},
{
"source": "cna@vuldb.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://vuldb.com/?submit.396292"
},
{
"source": "cna@vuldb.com",
"tags": [
"Product"
],
"url": "https://www.dlink.com/"
}
],
"sourceIdentifier": "cna@vuldb.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-77"
}
],
"source": "cna@vuldb.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-78"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2024-8132
Vulnerability from fkie_nvd - Published: 2024-08-24 18:15 - Updated: 2024-08-27 15:35
Severity ?
6.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
A vulnerability was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. It has been classified as critical. This affects the function webdav_mgr of the file /cgi-bin/webdav_mgr.cgi of the component HTTP POST Request Handler. The manipulation of the argument f_path leads to command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced.
References
| URL | Tags | ||
|---|---|---|---|
| cna@vuldb.com | https://github.com/BuaaIOTTeam/Iot_Dlink_NAS/blob/main/DNS_webdav_mgr.md | Exploit, Third Party Advisory | |
| cna@vuldb.com | https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383 | Vendor Advisory | |
| cna@vuldb.com | https://vuldb.com/?ctiid.275703 | Permissions Required, VDB Entry | |
| cna@vuldb.com | https://vuldb.com/?id.275703 | Third Party Advisory, VDB Entry | |
| cna@vuldb.com | https://vuldb.com/?submit.396293 | Third Party Advisory, VDB Entry | |
| cna@vuldb.com | https://www.dlink.com/ | Product |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| dlink | dns-1550-04_firmware | - | |
| dlink | dns-1550-04 | - | |
| dlink | dns-1200-05_firmware | - | |
| dlink | dns-1200-05 | - | |
| dlink | dns-1100-4_firmware | - | |
| dlink | dns-1100-4 | - | |
| dlink | dns-726-4_firmware | - | |
| dlink | dns-726-4 | - | |
| dlink | dns-345_firmware | - | |
| dlink | dns-345 | - | |
| dlink | dns-343_firmware | - | |
| dlink | dns-343 | - | |
| dlink | dns-340l_firmware | - | |
| dlink | dns-340l | - | |
| dlink | dnr-326_firmware | - | |
| dlink | dnr-326 | - | |
| dlink | dns-327l_firmware | - | |
| dlink | dns-327l | - | |
| dlink | dns-326_firmware | - | |
| dlink | dns-326 | - | |
| dlink | dns-325_firmware | - | |
| dlink | dns-325 | - | |
| dlink | dns-323_firmware | - | |
| dlink | dns-323 | - | |
| dlink | dnr-322l_firmware | - | |
| dlink | dnr-322l | - | |
| dlink | dns-321_firmware | - | |
| dlink | dns-321 | - | |
| dlink | dns-320lw_firmware | - | |
| dlink | dns-320lw | - | |
| dlink | dns-320l_firmware | - | |
| dlink | dns-320l | - | |
| dlink | dns-320_firmware | - | |
| dlink | dns-320 | - | |
| dlink | dns-315l_firmware | - | |
| dlink | dns-315l | - | |
| dlink | dnr-202l_firmware | - | |
| dlink | dnr-202l | - | |
| dlink | dns-120_firmware | - | |
| dlink | dns-120 | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-1550-04_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "B2C1EF70-AD9B-48D7-8DF6-A6416C517F12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-1550-04:-:*:*:*:*:*:*:*",
"matchCriteriaId": "E691E775-382C-4BA9-AA44-FBC3148D3E54",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-1200-05_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "42DA6DEB-3578-44A5-916F-1628141F0DDE",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-1200-05:-:*:*:*:*:*:*:*",
"matchCriteriaId": "D042C75D-6731-46B2-B11E-A009B9029B3F",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-1100-4_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "7CAFE1E3-B705-4CF1-AEB9-A474432B6D34",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-1100-4:-:*:*:*:*:*:*:*",
"matchCriteriaId": "D5D08ED7-3E7F-4D30-890E-6535F6C34682",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-726-4_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "2A74D270-9076-474D-A06F-C915FCEA2164",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-726-4:-:*:*:*:*:*:*:*",
"matchCriteriaId": "75E5010F-21BA-4B6B-B00C-2688268FD67B",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-345_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "12C5E2D7-018E-4ED1-92C7-B5B1D8CC6990",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-345:-:*:*:*:*:*:*:*",
"matchCriteriaId": "C7E56821-7EA0-4CA1-BA17-7FD4ED9F794C",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-343_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "DD656642-EDD4-4EB2-81AB-04207BC14196",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-343:-:*:*:*:*:*:*:*",
"matchCriteriaId": "F968791D-D3BD-442C-818E-4E878B12776D",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-340l_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "39FF9666-8493-4A36-A199-1190AD8FAF3D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-340l:-:*:*:*:*:*:*:*",
"matchCriteriaId": "0646B20C-5642-4CEA-A96C-7E82AD94A281",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dnr-326_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "816E5F34-CE76-49E5-91F3-8CC84C561558",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dnr-326:-:*:*:*:*:*:*:*",
"matchCriteriaId": "33CB308B-CF82-4E40-B2DC-23EBD48CD130",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-327l_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "172D5EFF-E0DF-4A99-8499-71450A46A86C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-327l:-:*:*:*:*:*:*:*",
"matchCriteriaId": "DB305B29-7F89-4A52-9ECF-3DB0BDD2350D",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-326_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "B5E6F048-D865-4378-87C7-B0E528134276",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-326:-:*:*:*:*:*:*:*",
"matchCriteriaId": "D26F4F77-A6E3-4D7D-A781-BEB5FF7BC44F",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-325_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "16954393-3449-438A-978C-265EE3A35FF8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-325:-:*:*:*:*:*:*:*",
"matchCriteriaId": "8042169D-D9FA-4BD6-90D1-E0DE269E42B9",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-323_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "641CB5F1-3DE0-480B-95A4-FC42A8FF3C97",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-323:-:*:*:*:*:*:*:*",
"matchCriteriaId": "94ED678A-AB4C-4637-B0D8-C232A0BB5D5F",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dnr-322l_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "AD3AD5EE-8E1E-4336-A1AB-AB028CC71286",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dnr-322l:-:*:*:*:*:*:*:*",
"matchCriteriaId": "5DAF62A4-2429-4B89-8FAD-8B23EF15E050",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-321_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "DC28053F-88A9-4CA1-A2A2-CC90FEEA68FC",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-321:-:*:*:*:*:*:*:*",
"matchCriteriaId": "2A278BC9-6197-43D9-93C2-3DF760856FB7",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-320lw_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "8FE78C5B-2A98-47EE-BF67-CF58AFE50A37",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-320lw:-:*:*:*:*:*:*:*",
"matchCriteriaId": "45467ABC-BAA9-4EB0-9F97-92E31854CA8B",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-320l_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "4599D769-0210-4D49-9896-9AD1376A037E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-320l:-:*:*:*:*:*:*:*",
"matchCriteriaId": "6C677E53-6885-4EC4-A7CC-E24E8F445F59",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-320_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "4452F9A4-3A0A-4773-9818-04C94CF9F8E7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-320:-:*:*:*:*:*:*:*",
"matchCriteriaId": "A0F5355E-F68D-49FE-9793-1FD9BD9AF3E1",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-315l_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "A8CFCD7B-EFFB-4FAB-9537-46AC7B567126",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-315l:-:*:*:*:*:*:*:*",
"matchCriteriaId": "03C5CED7-55A7-4026-95CD-A2ADB5853823",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dnr-202l_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "96195649-172A-4C21-AA15-7B05F86C5CEC",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dnr-202l:-:*:*:*:*:*:*:*",
"matchCriteriaId": "07A92F2C-16FD-4A53-8066-83FEC2818DF5",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-120_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "C44BE2C6-BF3E-43C3-B32F-2DCE756F94BC",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-120:-:*:*:*:*:*:*:*",
"matchCriteriaId": "6E161E54-2FE9-4359-9B2D-8700D00DE8E7",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [
{
"sourceIdentifier": "cna@vuldb.com",
"tags": [
"unsupported-when-assigned"
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. It has been classified as critical. This affects the function webdav_mgr of the file /cgi-bin/webdav_mgr.cgi of the component HTTP POST Request Handler. The manipulation of the argument f_path leads to command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced."
},
{
"lang": "es",
"value": "Se encontr\u00f3 una vulnerabilidad en D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS- 326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 y DNS-1550-04 hasta 20240814. Ha sido clasificada como cr\u00edtica. Esto afecta a la funci\u00f3n webdav_mgr del archivo /cgi-bin/webdav_mgr.cgi del componente HTTP POST Request Handler. La manipulaci\u00f3n del argumento f_path conduce a la inyecci\u00f3n de comandos. Es posible iniciar el ataque de forma remota. El exploit ha sido divulgado al p\u00fablico y puede utilizarse. NOTA: Esta vulnerabilidad solo afecta a productos que ya no son compatibles con el fabricante. NOTA: Se contact\u00f3 primeramente con el proveedor y se confirm\u00f3 que el producto ha llegado al final de su vida \u00fatil. Deber\u00eda retirarse y reemplazarse."
}
],
"id": "CVE-2024-8132",
"lastModified": "2024-08-27T15:35:01.557",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "cna@vuldb.com",
"type": "Secondary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.4,
"source": "cna@vuldb.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "cna@vuldb.com",
"type": "Secondary"
}
]
},
"published": "2024-08-24T18:15:04.727",
"references": [
{
"source": "cna@vuldb.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/BuaaIOTTeam/Iot_Dlink_NAS/blob/main/DNS_webdav_mgr.md"
},
{
"source": "cna@vuldb.com",
"tags": [
"Vendor Advisory"
],
"url": "https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383"
},
{
"source": "cna@vuldb.com",
"tags": [
"Permissions Required",
"VDB Entry"
],
"url": "https://vuldb.com/?ctiid.275703"
},
{
"source": "cna@vuldb.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://vuldb.com/?id.275703"
},
{
"source": "cna@vuldb.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://vuldb.com/?submit.396293"
},
{
"source": "cna@vuldb.com",
"tags": [
"Product"
],
"url": "https://www.dlink.com/"
}
],
"sourceIdentifier": "cna@vuldb.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-77"
}
],
"source": "cna@vuldb.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-78"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2024-8130
Vulnerability from fkie_nvd - Published: 2024-08-24 17:15 - Updated: 2024-08-27 15:34
Severity ?
6.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
A vulnerability has been found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814 and classified as critical. Affected by this vulnerability is the function cgi_s3 of the file /cgi-bin/s3.cgi of the component HTTP POST Request Handler. The manipulation of the argument f_a_key leads to command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced.
References
| URL | Tags | ||
|---|---|---|---|
| cna@vuldb.com | https://github.com/BuaaIOTTeam/Iot_Dlink_NAS/blob/main/DNS_cgi_s3.md | Exploit, Third Party Advisory | |
| cna@vuldb.com | https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383 | Vendor Advisory | |
| cna@vuldb.com | https://vuldb.com/?ctiid.275701 | Permissions Required, VDB Entry | |
| cna@vuldb.com | https://vuldb.com/?id.275701 | Third Party Advisory, VDB Entry | |
| cna@vuldb.com | https://vuldb.com/?submit.396291 | Third Party Advisory, VDB Entry | |
| cna@vuldb.com | https://www.dlink.com/ | Product |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| dlink | dns-1550-04_firmware | - | |
| dlink | dns-1550-04 | - | |
| dlink | dns-1200-05_firmware | - | |
| dlink | dns-1200-05 | - | |
| dlink | dns-1100-4_firmware | - | |
| dlink | dns-1100-4 | - | |
| dlink | dns-726-4_firmware | - | |
| dlink | dns-726-4 | - | |
| dlink | dns-345_firmware | - | |
| dlink | dns-345 | - | |
| dlink | dns-343_firmware | - | |
| dlink | dns-343 | - | |
| dlink | dns-340l_firmware | - | |
| dlink | dns-340l | - | |
| dlink | dnr-326_firmware | - | |
| dlink | dnr-326 | - | |
| dlink | dns-327l_firmware | - | |
| dlink | dns-327l | - | |
| dlink | dns-326_firmware | - | |
| dlink | dns-326 | - | |
| dlink | dns-325_firmware | - | |
| dlink | dns-325 | - | |
| dlink | dns-323_firmware | - | |
| dlink | dns-323 | - | |
| dlink | dnr-322l_firmware | - | |
| dlink | dnr-322l | - | |
| dlink | dns-321_firmware | - | |
| dlink | dns-321 | - | |
| dlink | dns-320lw_firmware | - | |
| dlink | dns-320lw | - | |
| dlink | dns-320l_firmware | - | |
| dlink | dns-320l | - | |
| dlink | dns-320_firmware | - | |
| dlink | dns-320 | - | |
| dlink | dns-315l_firmware | - | |
| dlink | dns-315l | - | |
| dlink | dnr-202l_firmware | - | |
| dlink | dnr-202l | - | |
| dlink | dns-120_firmware | - | |
| dlink | dns-120 | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-1550-04_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "B2C1EF70-AD9B-48D7-8DF6-A6416C517F12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-1550-04:-:*:*:*:*:*:*:*",
"matchCriteriaId": "E691E775-382C-4BA9-AA44-FBC3148D3E54",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-1200-05_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "42DA6DEB-3578-44A5-916F-1628141F0DDE",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-1200-05:-:*:*:*:*:*:*:*",
"matchCriteriaId": "D042C75D-6731-46B2-B11E-A009B9029B3F",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-1100-4_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "7CAFE1E3-B705-4CF1-AEB9-A474432B6D34",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-1100-4:-:*:*:*:*:*:*:*",
"matchCriteriaId": "D5D08ED7-3E7F-4D30-890E-6535F6C34682",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-726-4_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "2A74D270-9076-474D-A06F-C915FCEA2164",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-726-4:-:*:*:*:*:*:*:*",
"matchCriteriaId": "75E5010F-21BA-4B6B-B00C-2688268FD67B",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-345_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "12C5E2D7-018E-4ED1-92C7-B5B1D8CC6990",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-345:-:*:*:*:*:*:*:*",
"matchCriteriaId": "C7E56821-7EA0-4CA1-BA17-7FD4ED9F794C",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-343_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "DD656642-EDD4-4EB2-81AB-04207BC14196",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-343:-:*:*:*:*:*:*:*",
"matchCriteriaId": "F968791D-D3BD-442C-818E-4E878B12776D",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-340l_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "39FF9666-8493-4A36-A199-1190AD8FAF3D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-340l:-:*:*:*:*:*:*:*",
"matchCriteriaId": "0646B20C-5642-4CEA-A96C-7E82AD94A281",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dnr-326_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "816E5F34-CE76-49E5-91F3-8CC84C561558",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dnr-326:-:*:*:*:*:*:*:*",
"matchCriteriaId": "33CB308B-CF82-4E40-B2DC-23EBD48CD130",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-327l_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "172D5EFF-E0DF-4A99-8499-71450A46A86C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-327l:-:*:*:*:*:*:*:*",
"matchCriteriaId": "DB305B29-7F89-4A52-9ECF-3DB0BDD2350D",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-326_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "B5E6F048-D865-4378-87C7-B0E528134276",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-326:-:*:*:*:*:*:*:*",
"matchCriteriaId": "D26F4F77-A6E3-4D7D-A781-BEB5FF7BC44F",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-325_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "16954393-3449-438A-978C-265EE3A35FF8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-325:-:*:*:*:*:*:*:*",
"matchCriteriaId": "8042169D-D9FA-4BD6-90D1-E0DE269E42B9",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-323_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "641CB5F1-3DE0-480B-95A4-FC42A8FF3C97",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-323:-:*:*:*:*:*:*:*",
"matchCriteriaId": "94ED678A-AB4C-4637-B0D8-C232A0BB5D5F",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dnr-322l_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "AD3AD5EE-8E1E-4336-A1AB-AB028CC71286",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dnr-322l:-:*:*:*:*:*:*:*",
"matchCriteriaId": "5DAF62A4-2429-4B89-8FAD-8B23EF15E050",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-321_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "DC28053F-88A9-4CA1-A2A2-CC90FEEA68FC",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-321:-:*:*:*:*:*:*:*",
"matchCriteriaId": "2A278BC9-6197-43D9-93C2-3DF760856FB7",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-320lw_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "8FE78C5B-2A98-47EE-BF67-CF58AFE50A37",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-320lw:-:*:*:*:*:*:*:*",
"matchCriteriaId": "45467ABC-BAA9-4EB0-9F97-92E31854CA8B",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-320l_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "4599D769-0210-4D49-9896-9AD1376A037E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-320l:-:*:*:*:*:*:*:*",
"matchCriteriaId": "6C677E53-6885-4EC4-A7CC-E24E8F445F59",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-320_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "4452F9A4-3A0A-4773-9818-04C94CF9F8E7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-320:-:*:*:*:*:*:*:*",
"matchCriteriaId": "A0F5355E-F68D-49FE-9793-1FD9BD9AF3E1",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-315l_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "A8CFCD7B-EFFB-4FAB-9537-46AC7B567126",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-315l:-:*:*:*:*:*:*:*",
"matchCriteriaId": "03C5CED7-55A7-4026-95CD-A2ADB5853823",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dnr-202l_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "96195649-172A-4C21-AA15-7B05F86C5CEC",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dnr-202l:-:*:*:*:*:*:*:*",
"matchCriteriaId": "07A92F2C-16FD-4A53-8066-83FEC2818DF5",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dns-120_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "C44BE2C6-BF3E-43C3-B32F-2DCE756F94BC",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dns-120:-:*:*:*:*:*:*:*",
"matchCriteriaId": "6E161E54-2FE9-4359-9B2D-8700D00DE8E7",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [
{
"sourceIdentifier": "cna@vuldb.com",
"tags": [
"unsupported-when-assigned"
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814 and classified as critical. Affected by this vulnerability is the function cgi_s3 of the file /cgi-bin/s3.cgi of the component HTTP POST Request Handler. The manipulation of the argument f_a_key leads to command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced."
},
{
"lang": "es",
"value": "Se ha encontrado una vulnerabilidad en D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS -326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 y DNS-1550-04 hasta 20240814 y clasificada como cr\u00edtica. La funci\u00f3n cgi_s3 del archivo /cgi-bin/s3.cgi del componente HTTP POST Request Handler es afectada por esta vulnerabilidad. La manipulaci\u00f3n del argumento f_a_key conduce a la inyecci\u00f3n de comandos. El ataque se puede lanzar de forma remota. El exploit ha sido divulgado al p\u00fablico y puede utilizarse. NOTA: Esta vulnerabilidad solo afecta a productos que ya no son compatibles con el fabricante. NOTA: Se contact\u00f3 primeramente con el proveedor y se confirm\u00f3 que el producto ha llegado al final de su vida \u00fatil. Deber\u00eda retirarse y reemplazarse."
}
],
"id": "CVE-2024-8130",
"lastModified": "2024-08-27T15:34:08.287",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "cna@vuldb.com",
"type": "Secondary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.4,
"source": "cna@vuldb.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "cna@vuldb.com",
"type": "Secondary"
}
]
},
"published": "2024-08-24T17:15:03.290",
"references": [
{
"source": "cna@vuldb.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/BuaaIOTTeam/Iot_Dlink_NAS/blob/main/DNS_cgi_s3.md"
},
{
"source": "cna@vuldb.com",
"tags": [
"Vendor Advisory"
],
"url": "https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383"
},
{
"source": "cna@vuldb.com",
"tags": [
"Permissions Required",
"VDB Entry"
],
"url": "https://vuldb.com/?ctiid.275701"
},
{
"source": "cna@vuldb.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://vuldb.com/?id.275701"
},
{
"source": "cna@vuldb.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://vuldb.com/?submit.396291"
},
{
"source": "cna@vuldb.com",
"tags": [
"Product"
],
"url": "https://www.dlink.com/"
}
],
"sourceIdentifier": "cna@vuldb.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-77"
}
],
"source": "cna@vuldb.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-78"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2024-8214 (GCVE-0-2024-8214)
Vulnerability from cvelistv5 – Published: 2024-08-27 20:00 – Updated: 2024-08-27 20:51
VLAI?
Summary
A vulnerability classified as critical was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. Affected by this vulnerability is the function cgi_FMT_Std2R5_2nd_DiskMGR of the file /cgi-bin/hd_config.cgi. The manipulation of the argument f_source_dev leads to command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced.
Severity ?
6.3 (Medium)
6.3 (Medium)
CWE
- CWE-77 - Command Injection
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| D-Link | DNS-120 |
Affected:
20240814
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Credits
BuaaIoTTeam (VulDB User)
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:dlink:dnr-202l_firmware:20240814:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dnr-322l_firmware:20240814:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dnr-326_firmware:20240814:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-1100-4_firmware:20240814:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-1200-05_firmware:20240814:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-120_firmware:20240814:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-1550-04_firmware:20240814:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-315l_firmware:20240814:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-320_firmware:20240814:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-320l_firmware:20240814:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-320lw_firmware:20240814:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-321_firmware:20240814:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-323_firmware:20240814:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-325_firmware:20240814:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-326_firmware:20240814:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-327l_firmware:20240814:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-340l_firmware:20240814:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-343_firmware:20240814:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-345_firmware:20240814:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-726-4_firmware:20240814:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dns-726-4_firmware",
"vendor": "dlink",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8214",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-27T20:48:46.158660Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-27T20:51:23.525Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "DNS-120",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNR-202L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-315L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-320",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-320L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-320LW",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-321",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNR-322L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-323",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-325",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-326",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-327L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNR-326",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-340L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-343",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-345",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-726-4",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-1100-4",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-1200-05",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-1550-04",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "BuaaIoTTeam (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability classified as critical was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. Affected by this vulnerability is the function cgi_FMT_Std2R5_2nd_DiskMGR of the file /cgi-bin/hd_config.cgi. The manipulation of the argument f_source_dev leads to command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced."
},
{
"lang": "de",
"value": "In D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 bis 20240814 wurde eine kritische Schwachstelle entdeckt. Dabei geht es um die Funktion cgi_FMT_Std2R5_2nd_DiskMGR der Datei /cgi-bin/hd_config.cgi. Durch Beeinflussen des Arguments f_source_dev mit unbekannten Daten kann eine command injection-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei \u00fcber das Netzwerk erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77 Command Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-27T20:00:06.123Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-275923 | D-Link DNS-1550-04 hd_config.cgi cgi_FMT_Std2R5_2nd_DiskMGR command injection",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.275923"
},
{
"name": "VDB-275923 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.275923"
},
{
"name": "Submit #397278 | D-Link DNS 320/320L/321/323/325/327L Command Injection",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.397278"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/BuaaIOTTeam/Iot_Dlink_NAS/blob/main/DNS_cgi_FMT_Std2R5_2nd_DiskMGR.md"
},
{
"tags": [
"related"
],
"url": "https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383"
},
{
"tags": [
"product"
],
"url": "https://www.dlink.com/"
}
],
"tags": [
"unsupported-when-assigned"
],
"timeline": [
{
"lang": "en",
"time": "2024-08-27T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2024-08-27T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2024-08-27T13:39:48.000Z",
"value": "VulDB entry last update"
}
],
"title": "D-Link DNS-1550-04 hd_config.cgi cgi_FMT_Std2R5_2nd_DiskMGR command injection"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2024-8214",
"datePublished": "2024-08-27T20:00:06.123Z",
"dateReserved": "2024-08-27T11:34:07.969Z",
"dateUpdated": "2024-08-27T20:51:23.525Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-8213 (GCVE-0-2024-8213)
Vulnerability from cvelistv5 – Published: 2024-08-27 19:31 – Updated: 2024-08-27 20:02
VLAI?
Summary
A vulnerability classified as critical has been found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. Affected is the function cgi_FMT_R12R5_1st_DiskMGR of the file /cgi-bin/hd_config.cgi. The manipulation of the argument f_source_dev leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced.
Severity ?
6.3 (Medium)
6.3 (Medium)
CWE
- CWE-77 - Command Injection
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| D-Link | DNS-120 |
Affected:
20240814
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Credits
BuaaIoTTeam (VulDB User)
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:dlink:dnr-202l_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dnr-322l_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dnr-326_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-1100-4_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-1200-05_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-120_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-1550-04_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-315l_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-320_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-320l_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-320lw_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-321_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-323_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-325_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-326_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-327l_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-340l_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-343_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-345_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-726-4_firmware:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dns-726-4_firmware",
"vendor": "dlink",
"versions": [
{
"lessThanOrEqual": "20240814",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8213",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-27T19:53:33.947038Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-27T20:02:43.335Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "DNS-120",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNR-202L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-315L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-320",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-320L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-320LW",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-321",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNR-322L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-323",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-325",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-326",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-327L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNR-326",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-340L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-343",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-345",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-726-4",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-1100-4",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-1200-05",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-1550-04",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "BuaaIoTTeam (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability classified as critical has been found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. Affected is the function cgi_FMT_R12R5_1st_DiskMGR of the file /cgi-bin/hd_config.cgi. The manipulation of the argument f_source_dev leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced."
},
{
"lang": "de",
"value": "Es wurde eine kritische Schwachstelle in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 bis 20240814 entdeckt. Es geht dabei um die Funktion cgi_FMT_R12R5_1st_DiskMGR der Datei /cgi-bin/hd_config.cgi. Durch das Beeinflussen des Arguments f_source_dev mit unbekannten Daten kann eine command injection-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk passieren. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77 Command Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-27T19:31:07.569Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-275922 | D-Link DNS-1550-04 hd_config.cgi cgi_FMT_R12R5_1st_DiskMGR command injection",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.275922"
},
{
"name": "VDB-275922 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.275922"
},
{
"name": "Submit #397277 | D-Link DNS 320/320L/321/323/325/327L Command Injection",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.397277"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/BuaaIOTTeam/Iot_Dlink_NAS/blob/main/DNS_cgi_FMT_R12R5_1st_DiskMGR.md"
},
{
"tags": [
"related"
],
"url": "https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383"
},
{
"tags": [
"product"
],
"url": "https://www.dlink.com/"
}
],
"tags": [
"unsupported-when-assigned"
],
"timeline": [
{
"lang": "en",
"time": "2024-08-27T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2024-08-27T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2024-08-27T13:39:41.000Z",
"value": "VulDB entry last update"
}
],
"title": "D-Link DNS-1550-04 hd_config.cgi cgi_FMT_R12R5_1st_DiskMGR command injection"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2024-8213",
"datePublished": "2024-08-27T19:31:07.569Z",
"dateReserved": "2024-08-27T11:34:04.701Z",
"dateUpdated": "2024-08-27T20:02:43.335Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-8212 (GCVE-0-2024-8212)
Vulnerability from cvelistv5 – Published: 2024-08-27 19:31 – Updated: 2024-08-27 20:02
VLAI?
Summary
A vulnerability was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. It has been rated as critical. This issue affects the function cgi_FMT_R12R5_2nd_DiskMGR of the file /cgi-bin/hd_config.cgi. The manipulation of the argument f_source_dev leads to command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced.
Severity ?
6.3 (Medium)
6.3 (Medium)
CWE
- CWE-77 - Command Injection
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| D-Link | DNS-120 |
Affected:
20240814
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Credits
BuaaIoTTeam (VulDB User)
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:dlink:dnr-202l_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dnr-322l_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dnr-326_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-1100-4_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-1200-05_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-120_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-1550-04_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-315l_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-320_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-320l_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-320lw_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-321_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-323_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-325_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-326_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-327l_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-340l_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-343_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-345_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-726-4_firmware:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dns-726-4_firmware",
"vendor": "dlink",
"versions": [
{
"lessThanOrEqual": "20240814",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8212",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-27T19:56:03.850944Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-27T20:02:57.267Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "DNS-120",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNR-202L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-315L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-320",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-320L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-320LW",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-321",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNR-322L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-323",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-325",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-326",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-327L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNR-326",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-340L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-343",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-345",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-726-4",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-1100-4",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-1200-05",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-1550-04",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "BuaaIoTTeam (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. It has been rated as critical. This issue affects the function cgi_FMT_R12R5_2nd_DiskMGR of the file /cgi-bin/hd_config.cgi. The manipulation of the argument f_source_dev leads to command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced."
},
{
"lang": "de",
"value": "Eine Schwachstelle wurde in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 bis 20240814 ausgemacht. Sie wurde als kritisch eingestuft. Es geht hierbei um die Funktion cgi_FMT_R12R5_2nd_DiskMGR der Datei /cgi-bin/hd_config.cgi. Durch Manipulieren des Arguments f_source_dev mit unbekannten Daten kann eine command injection-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk angegangen werden. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77 Command Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-27T19:31:04.976Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-275921 | D-Link DNS-1550-04 hd_config.cgi cgi_FMT_R12R5_2nd_DiskMGR command injection",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.275921"
},
{
"name": "VDB-275921 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.275921"
},
{
"name": "Submit #397276 | D-Link DNS 320/320L/321/323/325/327L Command Injection",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.397276"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/BuaaIOTTeam/Iot_Dlink_NAS/blob/main/DNS_cgi_FMT_R12R5_2nd_DiskMGR.md"
},
{
"tags": [
"related"
],
"url": "https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383"
},
{
"tags": [
"product"
],
"url": "https://www.dlink.com/"
}
],
"tags": [
"unsupported-when-assigned"
],
"timeline": [
{
"lang": "en",
"time": "2024-08-27T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2024-08-27T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2024-08-27T13:39:35.000Z",
"value": "VulDB entry last update"
}
],
"title": "D-Link DNS-1550-04 hd_config.cgi cgi_FMT_R12R5_2nd_DiskMGR command injection"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2024-8212",
"datePublished": "2024-08-27T19:31:04.976Z",
"dateReserved": "2024-08-27T11:34:01.400Z",
"dateUpdated": "2024-08-27T20:02:57.267Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-8211 (GCVE-0-2024-8211)
Vulnerability from cvelistv5 – Published: 2024-08-27 19:00 – Updated: 2024-08-27 20:03
VLAI?
Summary
A vulnerability was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. It has been declared as critical. This vulnerability affects the function cgi_FMT_Std2R1_DiskMGR of the file /cgi-bin/hd_config.cgi. The manipulation of the argument f_newly_dev leads to command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced.
Severity ?
6.3 (Medium)
6.3 (Medium)
CWE
- CWE-77 - Command Injection
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| D-Link | DNS-120 |
Affected:
20240814
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Credits
BuaaIoTTeam (VulDB User)
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:dlink:dnr-202l_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dnr-322l_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dnr-326_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-1100-4_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-1200-05_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-120_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-1550-04_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-315l_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-320_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-320l_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-320lw_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-321_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-323_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-325_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-326_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-327l_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-340l_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-343_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-345_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-726-4_firmware:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dns-726-4_firmware",
"vendor": "dlink",
"versions": [
{
"lessThanOrEqual": "20240814",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8211",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-27T19:56:23.845268Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-27T20:03:09.645Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "DNS-120",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNR-202L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-315L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-320",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-320L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-320LW",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-321",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNR-322L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-323",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-325",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-326",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-327L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNR-326",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-340L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-343",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-345",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-726-4",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-1100-4",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-1200-05",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-1550-04",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "BuaaIoTTeam (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. It has been declared as critical. This vulnerability affects the function cgi_FMT_Std2R1_DiskMGR of the file /cgi-bin/hd_config.cgi. The manipulation of the argument f_newly_dev leads to command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced."
},
{
"lang": "de",
"value": "In D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 bis 20240814 wurde eine Schwachstelle ausgemacht. Sie wurde als kritisch eingestuft. Es geht um die Funktion cgi_FMT_Std2R1_DiskMGR der Datei /cgi-bin/hd_config.cgi. Durch das Manipulieren des Arguments f_newly_dev mit unbekannten Daten kann eine command injection-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77 Command Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-27T19:00:06.373Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-275920 | D-Link DNS-1550-04 hd_config.cgi cgi_FMT_Std2R1_DiskMGR command injection",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.275920"
},
{
"name": "VDB-275920 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.275920"
},
{
"name": "Submit #397275 | D-Link DNS 320/320L/321/323/325/327L Command Injection",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.397275"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/BuaaIOTTeam/Iot_Dlink_NAS/blob/main/DNS_cgi_FMT_Std2R1_DiskMGR.md"
},
{
"tags": [
"related"
],
"url": "https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383"
},
{
"tags": [
"product"
],
"url": "https://www.dlink.com/"
}
],
"tags": [
"unsupported-when-assigned"
],
"timeline": [
{
"lang": "en",
"time": "2024-08-27T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2024-08-27T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2024-08-27T13:39:29.000Z",
"value": "VulDB entry last update"
}
],
"title": "D-Link DNS-1550-04 hd_config.cgi cgi_FMT_Std2R1_DiskMGR command injection"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2024-8211",
"datePublished": "2024-08-27T19:00:06.373Z",
"dateReserved": "2024-08-27T11:33:57.085Z",
"dateUpdated": "2024-08-27T20:03:09.645Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-8210 (GCVE-0-2024-8210)
Vulnerability from cvelistv5 – Published: 2024-08-27 18:31 – Updated: 2024-08-27 20:03
VLAI?
Summary
A vulnerability was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. It has been classified as critical. This affects the function sprintf of the file /cgi-bin/hd_config.cgi. The manipulation of the argument f_mount leads to command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced.
Severity ?
6.3 (Medium)
6.3 (Medium)
CWE
- CWE-77 - Command Injection
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| D-Link | DNS-120 |
Affected:
20240814
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Credits
BuaaIoTTeam (VulDB User)
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:dlink:dnr-202l_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dnr-322l_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dnr-326_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-1100-4_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-1200-05_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-120_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-1550-04_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-315l_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-320_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-320l_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-320lw_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-321_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-323_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-325_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-326_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-327l_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-340l_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-343_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-345_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-726-4_firmware:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dns-726-4_firmware",
"vendor": "dlink",
"versions": [
{
"lessThanOrEqual": "20240814",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8210",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-27T19:57:22.534694Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-27T20:03:25.317Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "DNS-120",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNR-202L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-315L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-320",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-320L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-320LW",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-321",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNR-322L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-323",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-325",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-326",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-327L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNR-326",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-340L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-343",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-345",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-726-4",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-1100-4",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-1200-05",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-1550-04",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "BuaaIoTTeam (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. It has been classified as critical. This affects the function sprintf of the file /cgi-bin/hd_config.cgi. The manipulation of the argument f_mount leads to command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced."
},
{
"lang": "de",
"value": "Es wurde eine Schwachstelle in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 bis 20240814 ausgemacht. Sie wurde als kritisch eingestuft. Betroffen hiervon ist die Funktion sprintf der Datei /cgi-bin/hd_config.cgi. Mittels Manipulieren des Arguments f_mount mit unbekannten Daten kann eine command injection-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff \u00fcber das Netzwerk. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77 Command Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-27T18:31:05.678Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-275919 | D-Link DNS-1550-04 hd_config.cgi sprintf command injection",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.275919"
},
{
"name": "VDB-275919 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.275919"
},
{
"name": "Submit #397274 | D-Link DNS 320/320L/321/323/325/327L Command Injection",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.397274"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/BuaaIOTTeam/Iot_Dlink_NAS/blob/main/DNS_cgi_FMT_R12R5_3rd_DiskMGR.md"
},
{
"tags": [
"related"
],
"url": "https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383"
},
{
"tags": [
"product"
],
"url": "https://www.dlink.com/"
}
],
"tags": [
"unsupported-when-assigned"
],
"timeline": [
{
"lang": "en",
"time": "2024-08-27T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2024-08-27T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2024-08-27T13:39:22.000Z",
"value": "VulDB entry last update"
}
],
"title": "D-Link DNS-1550-04 hd_config.cgi sprintf command injection"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2024-8210",
"datePublished": "2024-08-27T18:31:05.678Z",
"dateReserved": "2024-08-27T11:23:17.166Z",
"dateUpdated": "2024-08-27T20:03:25.317Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-8134 (GCVE-0-2024-8134)
Vulnerability from cvelistv5 – Published: 2024-08-24 20:00 – Updated: 2024-08-26 14:41
VLAI?
Summary
A vulnerability was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. It has been rated as critical. This issue affects the function cgi_FMT_Std2R5_1st_DiskMGR of the file /cgi-bin/hd_config.cgi of the component HTTP POST Request Handler. The manipulation of the argument f_source_dev leads to command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced.
Severity ?
6.3 (Medium)
6.3 (Medium)
CWE
- CWE-77 - Command Injection
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| D-Link | DNS-120 |
Affected:
20240814
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Credits
Buaa1otTeam (VulDB User)
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:dlink:dnr-202l_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dnr-322l_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dnr-326_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-1100-4_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-1200-05_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-120_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-1550-04_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-315l_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-320_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-320l_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-320lw_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-321_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-323_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-325_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-326_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-327l_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-340l_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-343_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-345_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-726-4_firmware:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dns-726-4_firmware",
"vendor": "dlink",
"versions": [
{
"lessThanOrEqual": "20240814",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8134",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-26T14:41:10.321483Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-26T14:41:17.128Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-120",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNR-202L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-315L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-320",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-320L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-320LW",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-321",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNR-322L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-323",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-325",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-326",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-327L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNR-326",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-340L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-343",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-345",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-726-4",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-1100-4",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-1200-05",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-1550-04",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Buaa1otTeam (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. It has been rated as critical. This issue affects the function cgi_FMT_Std2R5_1st_DiskMGR of the file /cgi-bin/hd_config.cgi of the component HTTP POST Request Handler. The manipulation of the argument f_source_dev leads to command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced."
},
{
"lang": "de",
"value": "Eine Schwachstelle wurde in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 bis 20240814 ausgemacht. Sie wurde als kritisch eingestuft. Davon betroffen ist die Funktion cgi_FMT_Std2R5_1st_DiskMGR der Datei /cgi-bin/hd_config.cgi der Komponente HTTP POST Request Handler. Dank Manipulation des Arguments f_source_dev mit unbekannten Daten kann eine command injection-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77 Command Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-24T20:00:06.287Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-275705 | D-Link DNS-1550-04 HTTP POST Request hd_config.cgi cgi_FMT_Std2R5_1st_DiskMGR command injection",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.275705"
},
{
"name": "VDB-275705 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.275705"
},
{
"name": "Submit #396296 | D-Link DNS 320/320L/321/323/325/327L Command Injection",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.396296"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/BuaaIOTTeam/Iot_Dlink_NAS/blob/main/DNS_cgi_FMT_Std2R5_1st_DiskMGR.md"
},
{
"tags": [
"related"
],
"url": "https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383"
},
{
"tags": [
"product"
],
"url": "https://www.dlink.com/"
}
],
"tags": [
"unsupported-when-assigned"
],
"timeline": [
{
"lang": "en",
"time": "2024-08-23T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2024-08-23T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2024-08-23T20:35:20.000Z",
"value": "VulDB entry last update"
}
],
"title": "D-Link DNS-1550-04 HTTP POST Request hd_config.cgi cgi_FMT_Std2R5_1st_DiskMGR command injection"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2024-8134",
"datePublished": "2024-08-24T20:00:06.287Z",
"dateReserved": "2024-08-23T18:30:05.515Z",
"dateUpdated": "2024-08-26T14:41:17.128Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-8133 (GCVE-0-2024-8133)
Vulnerability from cvelistv5 – Published: 2024-08-24 19:00 – Updated: 2024-08-26 13:15
VLAI?
Summary
A vulnerability was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. It has been declared as critical. This vulnerability affects the function cgi_FMT_R5_SpareDsk_DiskMGR of the file /cgi-bin/hd_config.cgi of the component HTTP POST Request Handler. The manipulation of the argument f_source_dev leads to command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced.
Severity ?
6.3 (Medium)
6.3 (Medium)
CWE
- CWE-77 - Command Injection
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| D-Link | DNS-120 |
Affected:
20240814
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Credits
Buaa1otTeam (VulDB User)
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:dlink:dnr-202l_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dnr-322l_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dnr-326_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-1100-4_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-1200-05_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-120_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-1550-04_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-315l_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-320_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-320l_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-320lw_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-321_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-323_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-325_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-326_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-327l_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-340l_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-343_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-345_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-726-4_firmware:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dns-726-4_firmware",
"vendor": "dlink",
"versions": [
{
"lessThanOrEqual": "20240814",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8133",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-26T12:06:31.298565Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-26T13:15:17.599Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-120",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNR-202L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-315L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-320",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-320L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-320LW",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-321",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNR-322L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-323",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-325",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-326",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-327L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNR-326",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-340L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-343",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-345",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-726-4",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-1100-4",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-1200-05",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-1550-04",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Buaa1otTeam (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. It has been declared as critical. This vulnerability affects the function cgi_FMT_R5_SpareDsk_DiskMGR of the file /cgi-bin/hd_config.cgi of the component HTTP POST Request Handler. The manipulation of the argument f_source_dev leads to command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced."
},
{
"lang": "de",
"value": "In D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 bis 20240814 wurde eine Schwachstelle ausgemacht. Sie wurde als kritisch eingestuft. Hierbei betrifft es die Funktion cgi_FMT_R5_SpareDsk_DiskMGR der Datei /cgi-bin/hd_config.cgi der Komponente HTTP POST Request Handler. Dank der Manipulation des Arguments f_source_dev mit unbekannten Daten kann eine command injection-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff \u00fcber das Netzwerk. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77 Command Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-24T19:00:06.248Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-275704 | D-Link DNS-1550-04 HTTP POST Request hd_config.cgi cgi_FMT_R5_SpareDsk_DiskMGR command injection",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.275704"
},
{
"name": "VDB-275704 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.275704"
},
{
"name": "Submit #396295 | D-Link DNS 320/320L/321/323/325/327L Command Injection",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.396295"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/BuaaIOTTeam/Iot_Dlink_NAS/blob/main/DNS_cgi_FMT_R5_SpareDsk_DiskMGR.md"
},
{
"tags": [
"related"
],
"url": "https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383"
},
{
"tags": [
"product"
],
"url": "https://www.dlink.com/"
}
],
"tags": [
"unsupported-when-assigned"
],
"timeline": [
{
"lang": "en",
"time": "2024-08-23T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2024-08-23T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2024-08-23T20:35:19.000Z",
"value": "VulDB entry last update"
}
],
"title": "D-Link DNS-1550-04 HTTP POST Request hd_config.cgi cgi_FMT_R5_SpareDsk_DiskMGR command injection"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2024-8133",
"datePublished": "2024-08-24T19:00:06.248Z",
"dateReserved": "2024-08-23T18:30:02.880Z",
"dateUpdated": "2024-08-26T13:15:17.599Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-8132 (GCVE-0-2024-8132)
Vulnerability from cvelistv5 – Published: 2024-08-24 18:00 – Updated: 2024-08-26 15:54
VLAI?
Summary
A vulnerability was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. It has been classified as critical. This affects the function webdav_mgr of the file /cgi-bin/webdav_mgr.cgi of the component HTTP POST Request Handler. The manipulation of the argument f_path leads to command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced.
Severity ?
6.3 (Medium)
6.3 (Medium)
CWE
- CWE-77 - Command Injection
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| D-Link | DNS-120 |
Affected:
20240814
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Credits
Buaa1otTeam (VulDB User)
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:dlink:dns-120_firmware:20240814:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dns-120_firmware",
"vendor": "dlink",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"cpes": [
"cpe:2.3:o:dlink:dnr-202l_firmware:20240814:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dnr-202l_firmware",
"vendor": "dlink",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"cpes": [
"cpe:2.3:o:dlink:dns-315l_firmware:20240814:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dns-315l_firmware",
"vendor": "dlink",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"cpes": [
"cpe:2.3:o:dlink:dns-320_firmware:20240814:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dns-320_firmware",
"vendor": "dlink",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"cpes": [
"cpe:2.3:o:dlink:dns-320l_firmware:20240814:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dns-320l_firmware",
"vendor": "dlink",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"cpes": [
"cpe:2.3:o:dlink:dns-320lw_firmware:20240814:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dns-320lw_firmware",
"vendor": "dlink",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"cpes": [
"cpe:2.3:o:dlink:dns-321_firmware:20240814:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dns-321_firmware",
"vendor": "dlink",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"cpes": [
"cpe:2.3:o:dlink:dnr-322l_firmware:20240814:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dnr-322l_firmware",
"vendor": "dlink",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"cpes": [
"cpe:2.3:o:dlink:dns-323_firmware:20240814:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dns-323_firmware",
"vendor": "dlink",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"cpes": [
"cpe:2.3:o:dlink:dns-325_firmware:20240814:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dns-325_firmware",
"vendor": "dlink",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"cpes": [
"cpe:2.3:o:dlink:dns-326_firmware:20240814:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dns-326_firmware",
"vendor": "dlink",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"cpes": [
"cpe:2.3:o:dlink:dns-327l_firmware:20240814:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dns-327l_firmware",
"vendor": "dlink",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"cpes": [
"cpe:2.3:o:dlink:dnr-326_firmware:20240814:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dnr-326_firmware",
"vendor": "dlink",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"cpes": [
"cpe:2.3:o:dlink:dns-340l_firmware:20240814:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dns-340l_firmware",
"vendor": "dlink",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"cpes": [
"cpe:2.3:o:dlink:dns-343_firmware:20240814:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dns-343_firmware",
"vendor": "dlink",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"cpes": [
"cpe:2.3:o:dlink:dns-345_firmware:20240814:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dns-345_firmware",
"vendor": "dlink",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"cpes": [
"cpe:2.3:o:dlink:dns-726-4_firmware:20240814:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dns-726-4_firmware",
"vendor": "dlink",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"cpes": [
"cpe:2.3:o:dlink:dns-1100-4_firmware:20240814:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dns-1100-4_firmware",
"vendor": "dlink",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"cpes": [
"cpe:2.3:o:dlink:dns-1200-05_firmware:20240814:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dns-1200-05_firmware",
"vendor": "dlink",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"cpes": [
"cpe:2.3:o:dlink:dns-1550-04_firmware:20240814:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dns-1550-04_firmware",
"vendor": "dlink",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8132",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-26T14:03:22.896885Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-26T15:54:41.469Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-120",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNR-202L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-315L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-320",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-320L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-320LW",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-321",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNR-322L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-323",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-325",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-326",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-327L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNR-326",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-340L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-343",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-345",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-726-4",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-1100-4",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-1200-05",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-1550-04",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Buaa1otTeam (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. It has been classified as critical. This affects the function webdav_mgr of the file /cgi-bin/webdav_mgr.cgi of the component HTTP POST Request Handler. The manipulation of the argument f_path leads to command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced."
},
{
"lang": "de",
"value": "Es wurde eine Schwachstelle in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 bis 20240814 ausgemacht. Sie wurde als kritisch eingestuft. Dabei betrifft es die Funktion webdav_mgr der Datei /cgi-bin/webdav_mgr.cgi der Komponente HTTP POST Request Handler. Durch Beeinflussen des Arguments f_path mit unbekannten Daten kann eine command injection-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei \u00fcber das Netzwerk erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77 Command Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-24T18:00:05.836Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-275703 | D-Link DNS-1550-04 HTTP POST Request webdav_mgr.cgi webdav_mgr command injection",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.275703"
},
{
"name": "VDB-275703 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.275703"
},
{
"name": "Submit #396293 | D-Link DNS 320/320L/321/323/325/327L Command Injection",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.396293"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/BuaaIOTTeam/Iot_Dlink_NAS/blob/main/DNS_webdav_mgr.md"
},
{
"tags": [
"related"
],
"url": "https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383"
},
{
"tags": [
"product"
],
"url": "https://www.dlink.com/"
}
],
"tags": [
"unsupported-when-assigned"
],
"timeline": [
{
"lang": "en",
"time": "2024-08-23T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2024-08-23T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2024-08-23T20:35:17.000Z",
"value": "VulDB entry last update"
}
],
"title": "D-Link DNS-1550-04 HTTP POST Request webdav_mgr.cgi webdav_mgr command injection"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2024-8132",
"datePublished": "2024-08-24T18:00:05.836Z",
"dateReserved": "2024-08-23T18:30:00.444Z",
"dateUpdated": "2024-08-26T15:54:41.469Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-8131 (GCVE-0-2024-8131)
Vulnerability from cvelistv5 – Published: 2024-08-24 17:31 – Updated: 2024-08-26 20:30
VLAI?
Summary
A vulnerability was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814 and classified as critical. Affected by this issue is the function module_enable_disable of the file /cgi-bin/apkg_mgr.cgi of the component HTTP POST Request Handler. The manipulation of the argument f_module_name leads to command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced.
Severity ?
6.3 (Medium)
6.3 (Medium)
CWE
- CWE-77 - Command Injection
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| D-Link | DNS-120 |
Affected:
20240814
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Credits
Buaa1otTeam (VulDB User)
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:dlink:dnr-202l_firmware:20240814:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dnr-322l_firmware:20240814:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dnr-326_firmware:20240814:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-1100-4_firmware:20240814:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-1200-05_firmware:20240814:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-120_firmware:20240814:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-1550-04_firmware:20240814:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-315l_firmware:20240814:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-320_firmware:20240814:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-320l_firmware:20240814:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-320lw_firmware:20240814:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-321_firmware:20240814:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-323_firmware:20240814:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-325_firmware:20240814:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-326_firmware:20240814:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-327l_firmware:20240814:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-340l_firmware:20240814:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-343_firmware:20240814:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-345_firmware:20240814:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-726-4_firmware:20240814:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dns-726-4_firmware",
"vendor": "dlink",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8131",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-26T20:01:28.020110Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-26T20:30:42.009Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-120",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNR-202L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-315L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-320",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-320L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-320LW",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-321",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNR-322L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-323",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-325",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-326",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-327L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNR-326",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-340L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-343",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-345",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-726-4",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-1100-4",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-1200-05",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-1550-04",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Buaa1otTeam (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814 and classified as critical. Affected by this issue is the function module_enable_disable of the file /cgi-bin/apkg_mgr.cgi of the component HTTP POST Request Handler. The manipulation of the argument f_module_name leads to command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced."
},
{
"lang": "de",
"value": "Eine Schwachstelle wurde in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 bis 20240814 gefunden. Sie wurde als kritisch eingestuft. Dies betrifft die Funktion module_enable_disable der Datei /cgi-bin/apkg_mgr.cgi der Komponente HTTP POST Request Handler. Durch das Beeinflussen des Arguments f_module_name mit unbekannten Daten kann eine command injection-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk passieren. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77 Command Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-24T17:31:05.870Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-275702 | D-Link DNS-1550-04 HTTP POST Request apkg_mgr.cgi module_enable_disable command injection",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.275702"
},
{
"name": "VDB-275702 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.275702"
},
{
"name": "Submit #396292 | D-Link DNS 320/320L/321/323/325/327L Command Injection",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.396292"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/BuaaIOTTeam/Iot_Dlink_NAS/blob/main/DNS_module_enable_disable.md"
},
{
"tags": [
"related"
],
"url": "https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383"
},
{
"tags": [
"product"
],
"url": "https://www.dlink.com/"
}
],
"tags": [
"unsupported-when-assigned"
],
"timeline": [
{
"lang": "en",
"time": "2024-08-23T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2024-08-23T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2024-08-23T20:35:16.000Z",
"value": "VulDB entry last update"
}
],
"title": "D-Link DNS-1550-04 HTTP POST Request apkg_mgr.cgi module_enable_disable command injection"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2024-8131",
"datePublished": "2024-08-24T17:31:05.870Z",
"dateReserved": "2024-08-23T18:29:57.862Z",
"dateUpdated": "2024-08-26T20:30:42.009Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-8130 (GCVE-0-2024-8130)
Vulnerability from cvelistv5 – Published: 2024-08-24 16:31 – Updated: 2024-08-26 16:24
VLAI?
Summary
A vulnerability has been found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814 and classified as critical. Affected by this vulnerability is the function cgi_s3 of the file /cgi-bin/s3.cgi of the component HTTP POST Request Handler. The manipulation of the argument f_a_key leads to command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced.
Severity ?
6.3 (Medium)
6.3 (Medium)
CWE
- CWE-77 - Command Injection
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| D-Link | DNS-120 |
Affected:
20240814
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Credits
Buaa1otTeam (VulDB User)
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:h:d-link:dns-120:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dns-120",
"vendor": "d-link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"cpes": [
"cpe:2.3:h:d-link:dns-315l:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dns-315l",
"vendor": "d-link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"cpes": [
"cpe:2.3:h:d-link:dnr-202l:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dnr-202l",
"vendor": "d-link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"cpes": [
"cpe:2.3:h:d-link:dns-320:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dns-320",
"vendor": "d-link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"cpes": [
"cpe:2.3:h:d-link:dns-320l:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dns-320l",
"vendor": "d-link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"cpes": [
"cpe:2.3:h:d-link:dns-320lw:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dns-320lw",
"vendor": "d-link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"cpes": [
"cpe:2.3:h:d-link:dns-323:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dns-323",
"vendor": "d-link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"cpes": [
"cpe:2.3:h:d-link:dns-321:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dns-321",
"vendor": "d-link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"cpes": [
"cpe:2.3:h:d-link:dns-325:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dns-325",
"vendor": "d-link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"cpes": [
"cpe:2.3:h:d-link:dnr-322l:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dnr-322l",
"vendor": "d-link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"cpes": [
"cpe:2.3:h:d-link:dns-326:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dns-326",
"vendor": "d-link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"cpes": [
"cpe:2.3:h:d-link:dns-327l:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dns-327l",
"vendor": "d-link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"cpes": [
"cpe:2.3:h:d-link:dnr-326:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dnr-326",
"vendor": "d-link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"cpes": [
"cpe:2.3:h:d-link:dns-340l:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dns-340l",
"vendor": "d-link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"cpes": [
"cpe:2.3:h:d-link:dns-343:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dns-343",
"vendor": "d-link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"cpes": [
"cpe:2.3:h:d-link:dns-345:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dns-345",
"vendor": "d-link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"cpes": [
"cpe:2.3:h:d-link:dns-726-4:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dns-726-4",
"vendor": "d-link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"cpes": [
"cpe:2.3:h:d-link:dns-1100-4:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dns-1100-4",
"vendor": "d-link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"cpes": [
"cpe:2.3:h:d-link:dns-1200-05:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dns-1200-05",
"vendor": "d-link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"cpes": [
"cpe:2.3:h:d-link:dns-1550-04:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dns-1550-04",
"vendor": "d-link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8130",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-26T15:29:57.547304Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-26T16:24:18.306Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-120",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNR-202L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-315L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-320",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-320L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-320LW",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-321",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNR-322L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-323",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-325",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-326",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-327L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNR-326",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-340L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-343",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-345",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-726-4",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-1100-4",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-1200-05",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-1550-04",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Buaa1otTeam (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814 and classified as critical. Affected by this vulnerability is the function cgi_s3 of the file /cgi-bin/s3.cgi of the component HTTP POST Request Handler. The manipulation of the argument f_a_key leads to command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced."
},
{
"lang": "de",
"value": "In D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 bis 20240814 wurde eine Schwachstelle gefunden. Sie wurde als kritisch eingestuft. Das betrifft die Funktion cgi_s3 der Datei /cgi-bin/s3.cgi der Komponente HTTP POST Request Handler. Durch Manipulieren des Arguments f_a_key mit unbekannten Daten kann eine command injection-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk angegangen werden. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77 Command Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-24T16:31:05.950Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-275701 | D-Link DNS-1550-04 HTTP POST Request s3.cgi cgi_s3 command injection",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.275701"
},
{
"name": "VDB-275701 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.275701"
},
{
"name": "Submit #396291 | D-Link DNS 320/320L/321/323/325/327L Command Injection",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.396291"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/BuaaIOTTeam/Iot_Dlink_NAS/blob/main/DNS_cgi_s3.md"
},
{
"tags": [
"related"
],
"url": "https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383"
},
{
"tags": [
"product"
],
"url": "https://www.dlink.com/"
}
],
"tags": [
"unsupported-when-assigned"
],
"timeline": [
{
"lang": "en",
"time": "2024-08-23T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2024-08-23T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2024-08-23T20:35:15.000Z",
"value": "VulDB entry last update"
}
],
"title": "D-Link DNS-1550-04 HTTP POST Request s3.cgi cgi_s3 command injection"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2024-8130",
"datePublished": "2024-08-24T16:31:05.950Z",
"dateReserved": "2024-08-23T18:29:55.401Z",
"dateUpdated": "2024-08-26T16:24:18.306Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-8214 (GCVE-0-2024-8214)
Vulnerability from nvd – Published: 2024-08-27 20:00 – Updated: 2024-08-27 20:51
VLAI?
Summary
A vulnerability classified as critical was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. Affected by this vulnerability is the function cgi_FMT_Std2R5_2nd_DiskMGR of the file /cgi-bin/hd_config.cgi. The manipulation of the argument f_source_dev leads to command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced.
Severity ?
6.3 (Medium)
6.3 (Medium)
CWE
- CWE-77 - Command Injection
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| D-Link | DNS-120 |
Affected:
20240814
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Credits
BuaaIoTTeam (VulDB User)
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:dlink:dnr-202l_firmware:20240814:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dnr-322l_firmware:20240814:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dnr-326_firmware:20240814:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-1100-4_firmware:20240814:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-1200-05_firmware:20240814:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-120_firmware:20240814:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-1550-04_firmware:20240814:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-315l_firmware:20240814:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-320_firmware:20240814:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-320l_firmware:20240814:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-320lw_firmware:20240814:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-321_firmware:20240814:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-323_firmware:20240814:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-325_firmware:20240814:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-326_firmware:20240814:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-327l_firmware:20240814:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-340l_firmware:20240814:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-343_firmware:20240814:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-345_firmware:20240814:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-726-4_firmware:20240814:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dns-726-4_firmware",
"vendor": "dlink",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8214",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-27T20:48:46.158660Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-27T20:51:23.525Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "DNS-120",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNR-202L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-315L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-320",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-320L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-320LW",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-321",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNR-322L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-323",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-325",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-326",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-327L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNR-326",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-340L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-343",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-345",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-726-4",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-1100-4",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-1200-05",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-1550-04",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "BuaaIoTTeam (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability classified as critical was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. Affected by this vulnerability is the function cgi_FMT_Std2R5_2nd_DiskMGR of the file /cgi-bin/hd_config.cgi. The manipulation of the argument f_source_dev leads to command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced."
},
{
"lang": "de",
"value": "In D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 bis 20240814 wurde eine kritische Schwachstelle entdeckt. Dabei geht es um die Funktion cgi_FMT_Std2R5_2nd_DiskMGR der Datei /cgi-bin/hd_config.cgi. Durch Beeinflussen des Arguments f_source_dev mit unbekannten Daten kann eine command injection-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei \u00fcber das Netzwerk erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77 Command Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-27T20:00:06.123Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-275923 | D-Link DNS-1550-04 hd_config.cgi cgi_FMT_Std2R5_2nd_DiskMGR command injection",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.275923"
},
{
"name": "VDB-275923 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.275923"
},
{
"name": "Submit #397278 | D-Link DNS 320/320L/321/323/325/327L Command Injection",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.397278"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/BuaaIOTTeam/Iot_Dlink_NAS/blob/main/DNS_cgi_FMT_Std2R5_2nd_DiskMGR.md"
},
{
"tags": [
"related"
],
"url": "https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383"
},
{
"tags": [
"product"
],
"url": "https://www.dlink.com/"
}
],
"tags": [
"unsupported-when-assigned"
],
"timeline": [
{
"lang": "en",
"time": "2024-08-27T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2024-08-27T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2024-08-27T13:39:48.000Z",
"value": "VulDB entry last update"
}
],
"title": "D-Link DNS-1550-04 hd_config.cgi cgi_FMT_Std2R5_2nd_DiskMGR command injection"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2024-8214",
"datePublished": "2024-08-27T20:00:06.123Z",
"dateReserved": "2024-08-27T11:34:07.969Z",
"dateUpdated": "2024-08-27T20:51:23.525Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-8213 (GCVE-0-2024-8213)
Vulnerability from nvd – Published: 2024-08-27 19:31 – Updated: 2024-08-27 20:02
VLAI?
Summary
A vulnerability classified as critical has been found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. Affected is the function cgi_FMT_R12R5_1st_DiskMGR of the file /cgi-bin/hd_config.cgi. The manipulation of the argument f_source_dev leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced.
Severity ?
6.3 (Medium)
6.3 (Medium)
CWE
- CWE-77 - Command Injection
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| D-Link | DNS-120 |
Affected:
20240814
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Credits
BuaaIoTTeam (VulDB User)
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:dlink:dnr-202l_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dnr-322l_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dnr-326_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-1100-4_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-1200-05_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-120_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-1550-04_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-315l_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-320_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-320l_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-320lw_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-321_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-323_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-325_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-326_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-327l_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-340l_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-343_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-345_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-726-4_firmware:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dns-726-4_firmware",
"vendor": "dlink",
"versions": [
{
"lessThanOrEqual": "20240814",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8213",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-27T19:53:33.947038Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-27T20:02:43.335Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "DNS-120",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNR-202L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-315L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-320",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-320L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-320LW",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-321",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNR-322L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-323",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-325",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-326",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-327L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNR-326",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-340L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-343",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-345",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-726-4",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-1100-4",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-1200-05",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-1550-04",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "BuaaIoTTeam (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability classified as critical has been found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. Affected is the function cgi_FMT_R12R5_1st_DiskMGR of the file /cgi-bin/hd_config.cgi. The manipulation of the argument f_source_dev leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced."
},
{
"lang": "de",
"value": "Es wurde eine kritische Schwachstelle in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 bis 20240814 entdeckt. Es geht dabei um die Funktion cgi_FMT_R12R5_1st_DiskMGR der Datei /cgi-bin/hd_config.cgi. Durch das Beeinflussen des Arguments f_source_dev mit unbekannten Daten kann eine command injection-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk passieren. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77 Command Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-27T19:31:07.569Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-275922 | D-Link DNS-1550-04 hd_config.cgi cgi_FMT_R12R5_1st_DiskMGR command injection",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.275922"
},
{
"name": "VDB-275922 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.275922"
},
{
"name": "Submit #397277 | D-Link DNS 320/320L/321/323/325/327L Command Injection",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.397277"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/BuaaIOTTeam/Iot_Dlink_NAS/blob/main/DNS_cgi_FMT_R12R5_1st_DiskMGR.md"
},
{
"tags": [
"related"
],
"url": "https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383"
},
{
"tags": [
"product"
],
"url": "https://www.dlink.com/"
}
],
"tags": [
"unsupported-when-assigned"
],
"timeline": [
{
"lang": "en",
"time": "2024-08-27T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2024-08-27T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2024-08-27T13:39:41.000Z",
"value": "VulDB entry last update"
}
],
"title": "D-Link DNS-1550-04 hd_config.cgi cgi_FMT_R12R5_1st_DiskMGR command injection"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2024-8213",
"datePublished": "2024-08-27T19:31:07.569Z",
"dateReserved": "2024-08-27T11:34:04.701Z",
"dateUpdated": "2024-08-27T20:02:43.335Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-8212 (GCVE-0-2024-8212)
Vulnerability from nvd – Published: 2024-08-27 19:31 – Updated: 2024-08-27 20:02
VLAI?
Summary
A vulnerability was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. It has been rated as critical. This issue affects the function cgi_FMT_R12R5_2nd_DiskMGR of the file /cgi-bin/hd_config.cgi. The manipulation of the argument f_source_dev leads to command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced.
Severity ?
6.3 (Medium)
6.3 (Medium)
CWE
- CWE-77 - Command Injection
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| D-Link | DNS-120 |
Affected:
20240814
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Credits
BuaaIoTTeam (VulDB User)
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:dlink:dnr-202l_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dnr-322l_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dnr-326_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-1100-4_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-1200-05_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-120_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-1550-04_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-315l_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-320_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-320l_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-320lw_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-321_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-323_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-325_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-326_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-327l_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-340l_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-343_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-345_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-726-4_firmware:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dns-726-4_firmware",
"vendor": "dlink",
"versions": [
{
"lessThanOrEqual": "20240814",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8212",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-27T19:56:03.850944Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-27T20:02:57.267Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "DNS-120",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNR-202L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-315L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-320",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-320L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-320LW",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-321",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNR-322L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-323",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-325",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-326",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-327L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNR-326",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-340L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-343",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-345",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-726-4",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-1100-4",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-1200-05",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-1550-04",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "BuaaIoTTeam (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. It has been rated as critical. This issue affects the function cgi_FMT_R12R5_2nd_DiskMGR of the file /cgi-bin/hd_config.cgi. The manipulation of the argument f_source_dev leads to command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced."
},
{
"lang": "de",
"value": "Eine Schwachstelle wurde in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 bis 20240814 ausgemacht. Sie wurde als kritisch eingestuft. Es geht hierbei um die Funktion cgi_FMT_R12R5_2nd_DiskMGR der Datei /cgi-bin/hd_config.cgi. Durch Manipulieren des Arguments f_source_dev mit unbekannten Daten kann eine command injection-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk angegangen werden. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77 Command Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-27T19:31:04.976Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-275921 | D-Link DNS-1550-04 hd_config.cgi cgi_FMT_R12R5_2nd_DiskMGR command injection",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.275921"
},
{
"name": "VDB-275921 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.275921"
},
{
"name": "Submit #397276 | D-Link DNS 320/320L/321/323/325/327L Command Injection",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.397276"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/BuaaIOTTeam/Iot_Dlink_NAS/blob/main/DNS_cgi_FMT_R12R5_2nd_DiskMGR.md"
},
{
"tags": [
"related"
],
"url": "https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383"
},
{
"tags": [
"product"
],
"url": "https://www.dlink.com/"
}
],
"tags": [
"unsupported-when-assigned"
],
"timeline": [
{
"lang": "en",
"time": "2024-08-27T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2024-08-27T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2024-08-27T13:39:35.000Z",
"value": "VulDB entry last update"
}
],
"title": "D-Link DNS-1550-04 hd_config.cgi cgi_FMT_R12R5_2nd_DiskMGR command injection"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2024-8212",
"datePublished": "2024-08-27T19:31:04.976Z",
"dateReserved": "2024-08-27T11:34:01.400Z",
"dateUpdated": "2024-08-27T20:02:57.267Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-8211 (GCVE-0-2024-8211)
Vulnerability from nvd – Published: 2024-08-27 19:00 – Updated: 2024-08-27 20:03
VLAI?
Summary
A vulnerability was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. It has been declared as critical. This vulnerability affects the function cgi_FMT_Std2R1_DiskMGR of the file /cgi-bin/hd_config.cgi. The manipulation of the argument f_newly_dev leads to command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced.
Severity ?
6.3 (Medium)
6.3 (Medium)
CWE
- CWE-77 - Command Injection
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| D-Link | DNS-120 |
Affected:
20240814
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Credits
BuaaIoTTeam (VulDB User)
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:dlink:dnr-202l_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dnr-322l_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dnr-326_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-1100-4_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-1200-05_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-120_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-1550-04_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-315l_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-320_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-320l_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-320lw_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-321_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-323_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-325_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-326_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-327l_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-340l_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-343_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-345_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-726-4_firmware:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dns-726-4_firmware",
"vendor": "dlink",
"versions": [
{
"lessThanOrEqual": "20240814",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8211",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-27T19:56:23.845268Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-27T20:03:09.645Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "DNS-120",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNR-202L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-315L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-320",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-320L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-320LW",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-321",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNR-322L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-323",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-325",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-326",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-327L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNR-326",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-340L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-343",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-345",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-726-4",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-1100-4",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-1200-05",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-1550-04",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "BuaaIoTTeam (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. It has been declared as critical. This vulnerability affects the function cgi_FMT_Std2R1_DiskMGR of the file /cgi-bin/hd_config.cgi. The manipulation of the argument f_newly_dev leads to command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced."
},
{
"lang": "de",
"value": "In D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 bis 20240814 wurde eine Schwachstelle ausgemacht. Sie wurde als kritisch eingestuft. Es geht um die Funktion cgi_FMT_Std2R1_DiskMGR der Datei /cgi-bin/hd_config.cgi. Durch das Manipulieren des Arguments f_newly_dev mit unbekannten Daten kann eine command injection-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77 Command Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-27T19:00:06.373Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-275920 | D-Link DNS-1550-04 hd_config.cgi cgi_FMT_Std2R1_DiskMGR command injection",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.275920"
},
{
"name": "VDB-275920 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.275920"
},
{
"name": "Submit #397275 | D-Link DNS 320/320L/321/323/325/327L Command Injection",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.397275"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/BuaaIOTTeam/Iot_Dlink_NAS/blob/main/DNS_cgi_FMT_Std2R1_DiskMGR.md"
},
{
"tags": [
"related"
],
"url": "https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383"
},
{
"tags": [
"product"
],
"url": "https://www.dlink.com/"
}
],
"tags": [
"unsupported-when-assigned"
],
"timeline": [
{
"lang": "en",
"time": "2024-08-27T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2024-08-27T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2024-08-27T13:39:29.000Z",
"value": "VulDB entry last update"
}
],
"title": "D-Link DNS-1550-04 hd_config.cgi cgi_FMT_Std2R1_DiskMGR command injection"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2024-8211",
"datePublished": "2024-08-27T19:00:06.373Z",
"dateReserved": "2024-08-27T11:33:57.085Z",
"dateUpdated": "2024-08-27T20:03:09.645Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-8210 (GCVE-0-2024-8210)
Vulnerability from nvd – Published: 2024-08-27 18:31 – Updated: 2024-08-27 20:03
VLAI?
Summary
A vulnerability was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. It has been classified as critical. This affects the function sprintf of the file /cgi-bin/hd_config.cgi. The manipulation of the argument f_mount leads to command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced.
Severity ?
6.3 (Medium)
6.3 (Medium)
CWE
- CWE-77 - Command Injection
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| D-Link | DNS-120 |
Affected:
20240814
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Credits
BuaaIoTTeam (VulDB User)
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:dlink:dnr-202l_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dnr-322l_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dnr-326_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-1100-4_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-1200-05_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-120_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-1550-04_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-315l_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-320_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-320l_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-320lw_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-321_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-323_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-325_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-326_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-327l_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-340l_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-343_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-345_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-726-4_firmware:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dns-726-4_firmware",
"vendor": "dlink",
"versions": [
{
"lessThanOrEqual": "20240814",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8210",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-27T19:57:22.534694Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-27T20:03:25.317Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "DNS-120",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNR-202L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-315L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-320",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-320L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-320LW",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-321",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNR-322L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-323",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-325",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-326",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-327L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNR-326",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-340L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-343",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-345",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-726-4",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-1100-4",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-1200-05",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"product": "DNS-1550-04",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "BuaaIoTTeam (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. It has been classified as critical. This affects the function sprintf of the file /cgi-bin/hd_config.cgi. The manipulation of the argument f_mount leads to command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced."
},
{
"lang": "de",
"value": "Es wurde eine Schwachstelle in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 bis 20240814 ausgemacht. Sie wurde als kritisch eingestuft. Betroffen hiervon ist die Funktion sprintf der Datei /cgi-bin/hd_config.cgi. Mittels Manipulieren des Arguments f_mount mit unbekannten Daten kann eine command injection-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff \u00fcber das Netzwerk. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77 Command Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-27T18:31:05.678Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-275919 | D-Link DNS-1550-04 hd_config.cgi sprintf command injection",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.275919"
},
{
"name": "VDB-275919 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.275919"
},
{
"name": "Submit #397274 | D-Link DNS 320/320L/321/323/325/327L Command Injection",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.397274"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/BuaaIOTTeam/Iot_Dlink_NAS/blob/main/DNS_cgi_FMT_R12R5_3rd_DiskMGR.md"
},
{
"tags": [
"related"
],
"url": "https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383"
},
{
"tags": [
"product"
],
"url": "https://www.dlink.com/"
}
],
"tags": [
"unsupported-when-assigned"
],
"timeline": [
{
"lang": "en",
"time": "2024-08-27T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2024-08-27T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2024-08-27T13:39:22.000Z",
"value": "VulDB entry last update"
}
],
"title": "D-Link DNS-1550-04 hd_config.cgi sprintf command injection"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2024-8210",
"datePublished": "2024-08-27T18:31:05.678Z",
"dateReserved": "2024-08-27T11:23:17.166Z",
"dateUpdated": "2024-08-27T20:03:25.317Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-8134 (GCVE-0-2024-8134)
Vulnerability from nvd – Published: 2024-08-24 20:00 – Updated: 2024-08-26 14:41
VLAI?
Summary
A vulnerability was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. It has been rated as critical. This issue affects the function cgi_FMT_Std2R5_1st_DiskMGR of the file /cgi-bin/hd_config.cgi of the component HTTP POST Request Handler. The manipulation of the argument f_source_dev leads to command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced.
Severity ?
6.3 (Medium)
6.3 (Medium)
CWE
- CWE-77 - Command Injection
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| D-Link | DNS-120 |
Affected:
20240814
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Credits
Buaa1otTeam (VulDB User)
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:dlink:dnr-202l_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dnr-322l_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dnr-326_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-1100-4_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-1200-05_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-120_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-1550-04_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-315l_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-320_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-320l_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-320lw_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-321_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-323_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-325_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-326_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-327l_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-340l_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-343_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-345_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-726-4_firmware:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dns-726-4_firmware",
"vendor": "dlink",
"versions": [
{
"lessThanOrEqual": "20240814",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8134",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-26T14:41:10.321483Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-26T14:41:17.128Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-120",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNR-202L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-315L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-320",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-320L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-320LW",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-321",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNR-322L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-323",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-325",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-326",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-327L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNR-326",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-340L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-343",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-345",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-726-4",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-1100-4",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-1200-05",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-1550-04",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Buaa1otTeam (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. It has been rated as critical. This issue affects the function cgi_FMT_Std2R5_1st_DiskMGR of the file /cgi-bin/hd_config.cgi of the component HTTP POST Request Handler. The manipulation of the argument f_source_dev leads to command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced."
},
{
"lang": "de",
"value": "Eine Schwachstelle wurde in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 bis 20240814 ausgemacht. Sie wurde als kritisch eingestuft. Davon betroffen ist die Funktion cgi_FMT_Std2R5_1st_DiskMGR der Datei /cgi-bin/hd_config.cgi der Komponente HTTP POST Request Handler. Dank Manipulation des Arguments f_source_dev mit unbekannten Daten kann eine command injection-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77 Command Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-24T20:00:06.287Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-275705 | D-Link DNS-1550-04 HTTP POST Request hd_config.cgi cgi_FMT_Std2R5_1st_DiskMGR command injection",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.275705"
},
{
"name": "VDB-275705 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.275705"
},
{
"name": "Submit #396296 | D-Link DNS 320/320L/321/323/325/327L Command Injection",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.396296"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/BuaaIOTTeam/Iot_Dlink_NAS/blob/main/DNS_cgi_FMT_Std2R5_1st_DiskMGR.md"
},
{
"tags": [
"related"
],
"url": "https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383"
},
{
"tags": [
"product"
],
"url": "https://www.dlink.com/"
}
],
"tags": [
"unsupported-when-assigned"
],
"timeline": [
{
"lang": "en",
"time": "2024-08-23T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2024-08-23T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2024-08-23T20:35:20.000Z",
"value": "VulDB entry last update"
}
],
"title": "D-Link DNS-1550-04 HTTP POST Request hd_config.cgi cgi_FMT_Std2R5_1st_DiskMGR command injection"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2024-8134",
"datePublished": "2024-08-24T20:00:06.287Z",
"dateReserved": "2024-08-23T18:30:05.515Z",
"dateUpdated": "2024-08-26T14:41:17.128Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-8133 (GCVE-0-2024-8133)
Vulnerability from nvd – Published: 2024-08-24 19:00 – Updated: 2024-08-26 13:15
VLAI?
Summary
A vulnerability was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. It has been declared as critical. This vulnerability affects the function cgi_FMT_R5_SpareDsk_DiskMGR of the file /cgi-bin/hd_config.cgi of the component HTTP POST Request Handler. The manipulation of the argument f_source_dev leads to command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced.
Severity ?
6.3 (Medium)
6.3 (Medium)
CWE
- CWE-77 - Command Injection
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| D-Link | DNS-120 |
Affected:
20240814
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Credits
Buaa1otTeam (VulDB User)
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:dlink:dnr-202l_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dnr-322l_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dnr-326_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-1100-4_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-1200-05_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-120_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-1550-04_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-315l_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-320_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-320l_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-320lw_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-321_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-323_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-325_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-326_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-327l_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-340l_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-343_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-345_firmware:*:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-726-4_firmware:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dns-726-4_firmware",
"vendor": "dlink",
"versions": [
{
"lessThanOrEqual": "20240814",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8133",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-26T12:06:31.298565Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-26T13:15:17.599Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-120",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNR-202L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-315L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-320",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-320L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-320LW",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-321",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNR-322L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-323",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-325",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-326",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-327L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNR-326",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-340L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-343",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-345",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-726-4",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-1100-4",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-1200-05",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-1550-04",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Buaa1otTeam (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. It has been declared as critical. This vulnerability affects the function cgi_FMT_R5_SpareDsk_DiskMGR of the file /cgi-bin/hd_config.cgi of the component HTTP POST Request Handler. The manipulation of the argument f_source_dev leads to command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced."
},
{
"lang": "de",
"value": "In D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 bis 20240814 wurde eine Schwachstelle ausgemacht. Sie wurde als kritisch eingestuft. Hierbei betrifft es die Funktion cgi_FMT_R5_SpareDsk_DiskMGR der Datei /cgi-bin/hd_config.cgi der Komponente HTTP POST Request Handler. Dank der Manipulation des Arguments f_source_dev mit unbekannten Daten kann eine command injection-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff \u00fcber das Netzwerk. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77 Command Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-24T19:00:06.248Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-275704 | D-Link DNS-1550-04 HTTP POST Request hd_config.cgi cgi_FMT_R5_SpareDsk_DiskMGR command injection",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.275704"
},
{
"name": "VDB-275704 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.275704"
},
{
"name": "Submit #396295 | D-Link DNS 320/320L/321/323/325/327L Command Injection",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.396295"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/BuaaIOTTeam/Iot_Dlink_NAS/blob/main/DNS_cgi_FMT_R5_SpareDsk_DiskMGR.md"
},
{
"tags": [
"related"
],
"url": "https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383"
},
{
"tags": [
"product"
],
"url": "https://www.dlink.com/"
}
],
"tags": [
"unsupported-when-assigned"
],
"timeline": [
{
"lang": "en",
"time": "2024-08-23T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2024-08-23T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2024-08-23T20:35:19.000Z",
"value": "VulDB entry last update"
}
],
"title": "D-Link DNS-1550-04 HTTP POST Request hd_config.cgi cgi_FMT_R5_SpareDsk_DiskMGR command injection"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2024-8133",
"datePublished": "2024-08-24T19:00:06.248Z",
"dateReserved": "2024-08-23T18:30:02.880Z",
"dateUpdated": "2024-08-26T13:15:17.599Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-8132 (GCVE-0-2024-8132)
Vulnerability from nvd – Published: 2024-08-24 18:00 – Updated: 2024-08-26 15:54
VLAI?
Summary
A vulnerability was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. It has been classified as critical. This affects the function webdav_mgr of the file /cgi-bin/webdav_mgr.cgi of the component HTTP POST Request Handler. The manipulation of the argument f_path leads to command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced.
Severity ?
6.3 (Medium)
6.3 (Medium)
CWE
- CWE-77 - Command Injection
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| D-Link | DNS-120 |
Affected:
20240814
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Credits
Buaa1otTeam (VulDB User)
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:dlink:dns-120_firmware:20240814:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dns-120_firmware",
"vendor": "dlink",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"cpes": [
"cpe:2.3:o:dlink:dnr-202l_firmware:20240814:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dnr-202l_firmware",
"vendor": "dlink",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"cpes": [
"cpe:2.3:o:dlink:dns-315l_firmware:20240814:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dns-315l_firmware",
"vendor": "dlink",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"cpes": [
"cpe:2.3:o:dlink:dns-320_firmware:20240814:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dns-320_firmware",
"vendor": "dlink",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"cpes": [
"cpe:2.3:o:dlink:dns-320l_firmware:20240814:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dns-320l_firmware",
"vendor": "dlink",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"cpes": [
"cpe:2.3:o:dlink:dns-320lw_firmware:20240814:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dns-320lw_firmware",
"vendor": "dlink",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"cpes": [
"cpe:2.3:o:dlink:dns-321_firmware:20240814:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dns-321_firmware",
"vendor": "dlink",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"cpes": [
"cpe:2.3:o:dlink:dnr-322l_firmware:20240814:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dnr-322l_firmware",
"vendor": "dlink",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"cpes": [
"cpe:2.3:o:dlink:dns-323_firmware:20240814:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dns-323_firmware",
"vendor": "dlink",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"cpes": [
"cpe:2.3:o:dlink:dns-325_firmware:20240814:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dns-325_firmware",
"vendor": "dlink",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"cpes": [
"cpe:2.3:o:dlink:dns-326_firmware:20240814:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dns-326_firmware",
"vendor": "dlink",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"cpes": [
"cpe:2.3:o:dlink:dns-327l_firmware:20240814:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dns-327l_firmware",
"vendor": "dlink",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"cpes": [
"cpe:2.3:o:dlink:dnr-326_firmware:20240814:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dnr-326_firmware",
"vendor": "dlink",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"cpes": [
"cpe:2.3:o:dlink:dns-340l_firmware:20240814:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dns-340l_firmware",
"vendor": "dlink",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"cpes": [
"cpe:2.3:o:dlink:dns-343_firmware:20240814:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dns-343_firmware",
"vendor": "dlink",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"cpes": [
"cpe:2.3:o:dlink:dns-345_firmware:20240814:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dns-345_firmware",
"vendor": "dlink",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"cpes": [
"cpe:2.3:o:dlink:dns-726-4_firmware:20240814:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dns-726-4_firmware",
"vendor": "dlink",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"cpes": [
"cpe:2.3:o:dlink:dns-1100-4_firmware:20240814:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dns-1100-4_firmware",
"vendor": "dlink",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"cpes": [
"cpe:2.3:o:dlink:dns-1200-05_firmware:20240814:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dns-1200-05_firmware",
"vendor": "dlink",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"cpes": [
"cpe:2.3:o:dlink:dns-1550-04_firmware:20240814:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dns-1550-04_firmware",
"vendor": "dlink",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8132",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-26T14:03:22.896885Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-26T15:54:41.469Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-120",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNR-202L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-315L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-320",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-320L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-320LW",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-321",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNR-322L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-323",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-325",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-326",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-327L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNR-326",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-340L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-343",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-345",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-726-4",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-1100-4",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-1200-05",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-1550-04",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Buaa1otTeam (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. It has been classified as critical. This affects the function webdav_mgr of the file /cgi-bin/webdav_mgr.cgi of the component HTTP POST Request Handler. The manipulation of the argument f_path leads to command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced."
},
{
"lang": "de",
"value": "Es wurde eine Schwachstelle in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 bis 20240814 ausgemacht. Sie wurde als kritisch eingestuft. Dabei betrifft es die Funktion webdav_mgr der Datei /cgi-bin/webdav_mgr.cgi der Komponente HTTP POST Request Handler. Durch Beeinflussen des Arguments f_path mit unbekannten Daten kann eine command injection-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei \u00fcber das Netzwerk erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77 Command Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-24T18:00:05.836Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-275703 | D-Link DNS-1550-04 HTTP POST Request webdav_mgr.cgi webdav_mgr command injection",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.275703"
},
{
"name": "VDB-275703 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.275703"
},
{
"name": "Submit #396293 | D-Link DNS 320/320L/321/323/325/327L Command Injection",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.396293"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/BuaaIOTTeam/Iot_Dlink_NAS/blob/main/DNS_webdav_mgr.md"
},
{
"tags": [
"related"
],
"url": "https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383"
},
{
"tags": [
"product"
],
"url": "https://www.dlink.com/"
}
],
"tags": [
"unsupported-when-assigned"
],
"timeline": [
{
"lang": "en",
"time": "2024-08-23T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2024-08-23T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2024-08-23T20:35:17.000Z",
"value": "VulDB entry last update"
}
],
"title": "D-Link DNS-1550-04 HTTP POST Request webdav_mgr.cgi webdav_mgr command injection"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2024-8132",
"datePublished": "2024-08-24T18:00:05.836Z",
"dateReserved": "2024-08-23T18:30:00.444Z",
"dateUpdated": "2024-08-26T15:54:41.469Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-8131 (GCVE-0-2024-8131)
Vulnerability from nvd – Published: 2024-08-24 17:31 – Updated: 2024-08-26 20:30
VLAI?
Summary
A vulnerability was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814 and classified as critical. Affected by this issue is the function module_enable_disable of the file /cgi-bin/apkg_mgr.cgi of the component HTTP POST Request Handler. The manipulation of the argument f_module_name leads to command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced.
Severity ?
6.3 (Medium)
6.3 (Medium)
CWE
- CWE-77 - Command Injection
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| D-Link | DNS-120 |
Affected:
20240814
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Credits
Buaa1otTeam (VulDB User)
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:dlink:dnr-202l_firmware:20240814:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dnr-322l_firmware:20240814:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dnr-326_firmware:20240814:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-1100-4_firmware:20240814:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-1200-05_firmware:20240814:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-120_firmware:20240814:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-1550-04_firmware:20240814:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-315l_firmware:20240814:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-320_firmware:20240814:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-320l_firmware:20240814:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-320lw_firmware:20240814:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-321_firmware:20240814:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-323_firmware:20240814:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-325_firmware:20240814:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-326_firmware:20240814:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-327l_firmware:20240814:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-340l_firmware:20240814:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-343_firmware:20240814:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-345_firmware:20240814:*:*:*:*:*:*:*",
"cpe:2.3:o:dlink:dns-726-4_firmware:20240814:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dns-726-4_firmware",
"vendor": "dlink",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8131",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-26T20:01:28.020110Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-26T20:30:42.009Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-120",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNR-202L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-315L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-320",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-320L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-320LW",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-321",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNR-322L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-323",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-325",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-326",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-327L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNR-326",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-340L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-343",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-345",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-726-4",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-1100-4",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-1200-05",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-1550-04",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Buaa1otTeam (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814 and classified as critical. Affected by this issue is the function module_enable_disable of the file /cgi-bin/apkg_mgr.cgi of the component HTTP POST Request Handler. The manipulation of the argument f_module_name leads to command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced."
},
{
"lang": "de",
"value": "Eine Schwachstelle wurde in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 bis 20240814 gefunden. Sie wurde als kritisch eingestuft. Dies betrifft die Funktion module_enable_disable der Datei /cgi-bin/apkg_mgr.cgi der Komponente HTTP POST Request Handler. Durch das Beeinflussen des Arguments f_module_name mit unbekannten Daten kann eine command injection-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk passieren. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77 Command Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-24T17:31:05.870Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-275702 | D-Link DNS-1550-04 HTTP POST Request apkg_mgr.cgi module_enable_disable command injection",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.275702"
},
{
"name": "VDB-275702 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.275702"
},
{
"name": "Submit #396292 | D-Link DNS 320/320L/321/323/325/327L Command Injection",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.396292"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/BuaaIOTTeam/Iot_Dlink_NAS/blob/main/DNS_module_enable_disable.md"
},
{
"tags": [
"related"
],
"url": "https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383"
},
{
"tags": [
"product"
],
"url": "https://www.dlink.com/"
}
],
"tags": [
"unsupported-when-assigned"
],
"timeline": [
{
"lang": "en",
"time": "2024-08-23T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2024-08-23T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2024-08-23T20:35:16.000Z",
"value": "VulDB entry last update"
}
],
"title": "D-Link DNS-1550-04 HTTP POST Request apkg_mgr.cgi module_enable_disable command injection"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2024-8131",
"datePublished": "2024-08-24T17:31:05.870Z",
"dateReserved": "2024-08-23T18:29:57.862Z",
"dateUpdated": "2024-08-26T20:30:42.009Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-8130 (GCVE-0-2024-8130)
Vulnerability from nvd – Published: 2024-08-24 16:31 – Updated: 2024-08-26 16:24
VLAI?
Summary
A vulnerability has been found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814 and classified as critical. Affected by this vulnerability is the function cgi_s3 of the file /cgi-bin/s3.cgi of the component HTTP POST Request Handler. The manipulation of the argument f_a_key leads to command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced.
Severity ?
6.3 (Medium)
6.3 (Medium)
CWE
- CWE-77 - Command Injection
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| D-Link | DNS-120 |
Affected:
20240814
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Credits
Buaa1otTeam (VulDB User)
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:h:d-link:dns-120:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dns-120",
"vendor": "d-link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"cpes": [
"cpe:2.3:h:d-link:dns-315l:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dns-315l",
"vendor": "d-link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"cpes": [
"cpe:2.3:h:d-link:dnr-202l:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dnr-202l",
"vendor": "d-link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"cpes": [
"cpe:2.3:h:d-link:dns-320:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dns-320",
"vendor": "d-link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"cpes": [
"cpe:2.3:h:d-link:dns-320l:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dns-320l",
"vendor": "d-link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"cpes": [
"cpe:2.3:h:d-link:dns-320lw:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dns-320lw",
"vendor": "d-link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"cpes": [
"cpe:2.3:h:d-link:dns-323:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dns-323",
"vendor": "d-link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"cpes": [
"cpe:2.3:h:d-link:dns-321:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dns-321",
"vendor": "d-link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"cpes": [
"cpe:2.3:h:d-link:dns-325:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dns-325",
"vendor": "d-link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"cpes": [
"cpe:2.3:h:d-link:dnr-322l:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dnr-322l",
"vendor": "d-link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"cpes": [
"cpe:2.3:h:d-link:dns-326:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dns-326",
"vendor": "d-link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"cpes": [
"cpe:2.3:h:d-link:dns-327l:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dns-327l",
"vendor": "d-link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"cpes": [
"cpe:2.3:h:d-link:dnr-326:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dnr-326",
"vendor": "d-link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"cpes": [
"cpe:2.3:h:d-link:dns-340l:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dns-340l",
"vendor": "d-link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"cpes": [
"cpe:2.3:h:d-link:dns-343:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dns-343",
"vendor": "d-link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"cpes": [
"cpe:2.3:h:d-link:dns-345:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dns-345",
"vendor": "d-link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"cpes": [
"cpe:2.3:h:d-link:dns-726-4:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dns-726-4",
"vendor": "d-link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"cpes": [
"cpe:2.3:h:d-link:dns-1100-4:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dns-1100-4",
"vendor": "d-link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"cpes": [
"cpe:2.3:h:d-link:dns-1200-05:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dns-1200-05",
"vendor": "d-link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"cpes": [
"cpe:2.3:h:d-link:dns-1550-04:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dns-1550-04",
"vendor": "d-link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8130",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-26T15:29:57.547304Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-26T16:24:18.306Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-120",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNR-202L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-315L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-320",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-320L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-320LW",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-321",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNR-322L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-323",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-325",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-326",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-327L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNR-326",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-340L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-343",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-345",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-726-4",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-1100-4",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-1200-05",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
},
{
"modules": [
"HTTP POST Request Handler"
],
"product": "DNS-1550-04",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20240814"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Buaa1otTeam (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814 and classified as critical. Affected by this vulnerability is the function cgi_s3 of the file /cgi-bin/s3.cgi of the component HTTP POST Request Handler. The manipulation of the argument f_a_key leads to command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced."
},
{
"lang": "de",
"value": "In D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 bis 20240814 wurde eine Schwachstelle gefunden. Sie wurde als kritisch eingestuft. Das betrifft die Funktion cgi_s3 der Datei /cgi-bin/s3.cgi der Komponente HTTP POST Request Handler. Durch Manipulieren des Arguments f_a_key mit unbekannten Daten kann eine command injection-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk angegangen werden. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77 Command Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-24T16:31:05.950Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-275701 | D-Link DNS-1550-04 HTTP POST Request s3.cgi cgi_s3 command injection",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.275701"
},
{
"name": "VDB-275701 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.275701"
},
{
"name": "Submit #396291 | D-Link DNS 320/320L/321/323/325/327L Command Injection",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.396291"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/BuaaIOTTeam/Iot_Dlink_NAS/blob/main/DNS_cgi_s3.md"
},
{
"tags": [
"related"
],
"url": "https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383"
},
{
"tags": [
"product"
],
"url": "https://www.dlink.com/"
}
],
"tags": [
"unsupported-when-assigned"
],
"timeline": [
{
"lang": "en",
"time": "2024-08-23T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2024-08-23T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2024-08-23T20:35:15.000Z",
"value": "VulDB entry last update"
}
],
"title": "D-Link DNS-1550-04 HTTP POST Request s3.cgi cgi_s3 command injection"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2024-8130",
"datePublished": "2024-08-24T16:31:05.950Z",
"dateReserved": "2024-08-23T18:29:55.401Z",
"dateUpdated": "2024-08-26T16:24:18.306Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}