Vulnerability-Lookup

CNVD-2025-18474

Vulnerability from cnvd - Published: 2025-08-14

Title

D-Link DNS-320信息泄露漏洞（CNVD-2025-18474）

Description

D-Link DNS-320是友讯推出的双盘位网络存储设备（NAS），面向家庭及小型办公场景设计，支持最大4TB存储容量。 D-Link DNS-320存在信息泄露漏洞，该漏洞源于对参数getHD/getSer/getSys的错误操作会导致信息泄露。目前没有详细的漏洞细节提供。

Severity

低

Formal description

目前厂商尚未发布升级程序修复该安全问题，详情见厂商官网： https://www.dlink.com

Reference

https://vuldb.com/?id.276626 https://vuldb.com/?ctiid.276626 https://vuldb.com/?submit.401297 https://github.com/leetsun/IoT-Vuls/tree/main/Dlink-dns320/1 https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383 https://www.dlink.com/ https://cxsecurity.com/cveshow/CVE-2024-8460/

Impacted products

Name
D-Link DNS-320 2.02b01

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2024-8460",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2024-8460"
    }
  },
  "description": "D-Link DNS-320\u662f\u53cb\u8baf\u63a8\u51fa\u7684\u53cc\u76d8\u4f4d\u7f51\u7edc\u5b58\u50a8\u8bbe\u5907\uff08NAS\uff09\uff0c\u9762\u5411\u5bb6\u5ead\u53ca\u5c0f\u578b\u529e\u516c\u573a\u666f\u8bbe\u8ba1\uff0c\u652f\u6301\u6700\u59274TB\u5b58\u50a8\u5bb9\u91cf\u3002\n\nD-Link DNS-320\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5bf9\u53c2\u6570getHD/getSer/getSys\u7684\u9519\u8bef\u64cd\u4f5c\u4f1a\u5bfc\u81f4\u4fe1\u606f\u6cc4\u9732\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5c1a\u672a\u53d1\u5e03\u5347\u7ea7\u7a0b\u5e8f\u4fee\u590d\u8be5\u5b89\u5168\u95ee\u9898\uff0c\u8be6\u60c5\u89c1\u5382\u5546\u5b98\u7f51\uff1a\r\nhttps://www.dlink.com",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2025-18474",
  "openTime": "2025-08-14",
  "products": {
    "product": "D-Link DNS-320 2.02b01"
  },
  "referenceLink": "https://vuldb.com/?id.276626\r\nhttps://vuldb.com/?ctiid.276626\r\nhttps://vuldb.com/?submit.401297\r\nhttps://github.com/leetsun/IoT-Vuls/tree/main/Dlink-dns320/1\r\nhttps://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383\r\nhttps://www.dlink.com/\r\nhttps://cxsecurity.com/cveshow/CVE-2024-8460/",
  "serverity": "\u4f4e",
  "submitTime": "2024-09-10",
  "title": "D-Link DNS-320\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff08CNVD-2025-18474\uff09"
}

CVE-2024-8460 (GCVE-0-2024-8460)

Vulnerability from cvelistv5 – Published: 2024-09-05 12:00 – Updated: 2024-09-05 14:52 Unsupported When Assigned

Title

D-Link DNS-320 Web Management Interface widget_api.cgi information disclosure

Summary

A vulnerability, which was classified as problematic, has been found in D-Link DNS-320 2.02b01. Affected by this issue is some unknown functionality of the file /cgi-bin/widget_api.cgi of the component Web Management Interface. The manipulation of the argument getHD/getSer/getSys leads to information disclosure. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced.

Severity ?

6.3 (Medium)


                        
                          CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

3.7 (Low)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

3.7 (Low)


                        
                          CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE

CWE-200 - Information Disclosure

Assigner

VulDB

References

URL

Tags

	https://vuldb.com/?id.276626	vdb-entrytechnical-description
	https://vuldb.com/?ctiid.276626	signaturepermissions-required
	https://vuldb.com/?submit.401297	third-party-advisory
	https://github.com/leetsun/IoT-Vuls/tree/main/Dli…	exploit
	https://supportannouncement.us.dlink.com/security…	related
	https://www.dlink.com/	product

Impacted products

	Vendor	Product	Version
	D-Link	DNS-320	Affected: 2.02b01

Credits

leetmoon (VulDB User)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:h:dlink:dns-320:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "dns-320",
            "vendor": "dlink",
            "versions": [
              {
                "status": "affected",
                "version": "2.02b01"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-8460",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-05T14:48:20.386605Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-05T14:52:02.394Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "modules": [
            "Web Management Interface"
          ],
          "product": "DNS-320",
          "vendor": "D-Link",
          "versions": [
            {
              "status": "affected",
              "version": "2.02b01"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "leetmoon (VulDB User)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability, which was classified as problematic, has been found in D-Link DNS-320 2.02b01. Affected by this issue is some unknown functionality of the file /cgi-bin/widget_api.cgi of the component Web Management Interface. The manipulation of the argument getHD/getSer/getSys leads to information disclosure. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced."
        },
        {
          "lang": "de",
          "value": "Eine problematische Schwachstelle wurde in D-Link DNS-320 2.02b01 entdeckt. Es geht hierbei um eine nicht n\u00e4her spezifizierte Funktion der Datei /cgi-bin/widget_api.cgi der Komponente Web Management Interface. Durch das Beeinflussen des Arguments getHD/getSer/getSys mit unbekannten Daten kann eine information disclosure-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk angegangen werden. Die Komplexit\u00e4t eines Angriffs ist eher hoch. Sie ist schwierig ausnutzbar. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 3.7,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 3.7,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 2.6,
            "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200 Information Disclosure",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-09-05T12:00:07.296Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-276626 | D-Link DNS-320 Web Management Interface widget_api.cgi information disclosure",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/?id.276626"
        },
        {
          "name": "VDB-276626 | CTI Indicators (IOB, IOC, TTP, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/?ctiid.276626"
        },
        {
          "name": "Submit #401297 | Drink ShareCenter\u2122 2-Bay Network Storage Enclosure DNS-320 2.02b01 Information Disclosure",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/?submit.401297"
        },
        {
          "tags": [
            "exploit"
          ],
          "url": "https://github.com/leetsun/IoT-Vuls/tree/main/Dlink-dns320/1"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383"
        },
        {
          "tags": [
            "product"
          ],
          "url": "https://www.dlink.com/"
        }
      ],
      "tags": [
        "unsupported-when-assigned"
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2024-09-05T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2024-09-05T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2024-09-05T07:11:35.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "D-Link DNS-320 Web Management Interface widget_api.cgi information disclosure"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2024-8460",
    "datePublished": "2024-09-05T12:00:07.296Z",
    "dateReserved": "2024-09-05T05:06:26.624Z",
    "dateUpdated": "2024-09-05T14:52:02.394Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2025-18474

CVE-2024-8460 (GCVE-0-2024-8460)

Tags

Sightings

Nomenclature