cnvd - cnvd-2025-18473

CNVD-2025-18473

Vulnerability from cnvd - Published: 2025-08-14

Title

D-Link DNS-320 /cgi-bin/discovery.cgi文件信息泄露漏洞

Description

D-Link DNS-320是友讯推出的双盘位网络存储设备（NAS），面向家庭及小型办公场景设计，支持最大4TB存储容量。 D-Link DNS-320存在信息泄露漏洞，该漏洞源于文件/cgi-bin/discovery.cgi对于敏感信息保护不足，攻击者可利用该漏洞获取敏感信息。

Severity

中

Formal description

目前厂商尚未发布升级程序修复该安全问题，详情见厂商官网： https://www.dlink.com

Reference

https://vuldb.com/?id.276627

Impacted products

Name
D-Link DNS-320 2.02b01

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2024-8461",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2024-8461"
    }
  },
  "description": "D-Link DNS-320\u662f\u53cb\u8baf\u63a8\u51fa\u7684\u53cc\u76d8\u4f4d\u7f51\u7edc\u5b58\u50a8\u8bbe\u5907\uff08NAS\uff09\uff0c\u9762\u5411\u5bb6\u5ead\u53ca\u5c0f\u578b\u529e\u516c\u573a\u666f\u8bbe\u8ba1\uff0c\u652f\u6301\u6700\u59274TB\u5b58\u50a8\u5bb9\u91cf\u3002\n\nD-Link DNS-320\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u6587\u4ef6/cgi-bin/discovery.cgi\u5bf9\u4e8e\u654f\u611f\u4fe1\u606f\u4fdd\u62a4\u4e0d\u8db3\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u654f\u611f\u4fe1\u606f\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5c1a\u672a\u53d1\u5e03\u5347\u7ea7\u7a0b\u5e8f\u4fee\u590d\u8be5\u5b89\u5168\u95ee\u9898\uff0c\u8be6\u60c5\u89c1\u5382\u5546\u5b98\u7f51\uff1a\r\nhttps://www.dlink.com",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2025-18473",
  "openTime": "2025-08-14",
  "products": {
    "product": "D-Link DNS-320 2.02b01"
  },
  "referenceLink": "https://vuldb.com/?id.276627",
  "serverity": "\u4e2d",
  "submitTime": "2024-09-11",
  "title": "D-Link DNS-320 /cgi-bin/discovery.cgi\u6587\u4ef6\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e"
}

CVE-2024-8461 (GCVE-0-2024-8461)

Vulnerability from cvelistv5 – Published: 2024-09-05 12:31 – Updated: 2024-09-05 14:47 Unsupported When Assigned

Title

D-Link DNS-320 Web Management Interface discovery.cgi information disclosure

Summary

A vulnerability, which was classified as problematic, was found in D-Link DNS-320 2.02b01. This affects an unknown part of the file /cgi-bin/discovery.cgi of the component Web Management Interface. The manipulation leads to information disclosure. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced.

Severity ?

6.9 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

5.3 (Medium)


                        
                          CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE

CWE-200 - Information Disclosure

Assigner

VulDB

References

URL

Tags

	https://vuldb.com/?id.276627	vdb-entry
	https://vuldb.com/?ctiid.276627	signaturepermissions-required
	https://vuldb.com/?submit.401300	third-party-advisory
	https://github.com/leetsun/IoT-Vuls/tree/main/Dli…	exploit
	https://supportannouncement.us.dlink.com/security…	related
	https://www.dlink.com/	product

Impacted products

	Vendor	Product	Version
	D-Link	DNS-320	Affected: 2.02b01

Credits

leetmoon (VulDB User)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:h:dlink:dns-320:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "dns-320",
            "vendor": "dlink",
            "versions": [
              {
                "status": "affected",
                "version": "2.02b01"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-8461",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-05T14:46:32.287624Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-05T14:47:39.045Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "modules": [
            "Web Management Interface"
          ],
          "product": "DNS-320",
          "vendor": "D-Link",
          "versions": [
            {
              "status": "affected",
              "version": "2.02b01"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "leetmoon (VulDB User)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability, which was classified as problematic, was found in D-Link DNS-320 2.02b01. This affects an unknown part of the file /cgi-bin/discovery.cgi of the component Web Management Interface. The manipulation leads to information disclosure. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced."
        },
        {
          "lang": "de",
          "value": "Es wurde eine problematische Schwachstelle in D-Link DNS-320 2.02b01 gefunden. Es geht dabei um eine nicht klar definierte Funktion der Datei /cgi-bin/discovery.cgi der Komponente Web Management Interface. Durch Beeinflussen mit unbekannten Daten kann eine information disclosure-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk passieren. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 5,
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200 Information Disclosure",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-09-05T12:31:05.270Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-276627 | D-Link DNS-320 Web Management Interface discovery.cgi information disclosure",
          "tags": [
            "vdb-entry"
          ],
          "url": "https://vuldb.com/?id.276627"
        },
        {
          "name": "VDB-276627 | CTI Indicators (IOB, IOC, TTP, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/?ctiid.276627"
        },
        {
          "name": "Submit #401300 | Drink ShareCenter\u2122 2-Bay Network Storage Enclosure DNS-320 2.02b01 Information Disclosure",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/?submit.401300"
        },
        {
          "tags": [
            "exploit"
          ],
          "url": "https://github.com/leetsun/IoT-Vuls/tree/main/Dlink-dns320/4"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383"
        },
        {
          "tags": [
            "product"
          ],
          "url": "https://www.dlink.com/"
        }
      ],
      "tags": [
        "unsupported-when-assigned"
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2024-09-05T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2024-09-05T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2024-09-05T07:12:00.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "D-Link DNS-320 Web Management Interface discovery.cgi information disclosure"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2024-8461",
    "datePublished": "2024-09-05T12:31:05.270Z",
    "dateReserved": "2024-09-05T05:06:28.973Z",
    "dateUpdated": "2024-09-05T14:47:39.045Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2025-18473

CVE-2024-8461 (GCVE-0-2024-8461)

Tags

Sightings

Nomenclature