OpenCVE

A vulnerability was found in D-Link DNS-320, DNS-320LW, DNS-325 and DNS-340L up to 20241028. It has been rated as critical. Affected by this issue is the function cgi_user_add of the file /cgi-bin/account_mgr.cgi?cmd=cgi_user_add. The manipulation of the argument group leads to os command injection. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used.

Attack Vector Network

Attack Complexity High

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity High

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:N/AC:H/Au:N/C:C/I:C/A:C

This CVE is not in the KEV list.

Exploitation poc

Automatable no

Technical Impact total

Vendors	Products
Dlink	Dns-320 Dns-320 Firmware Dns-320lw Dns-320lw Firmware Dns-325 Dns-325 Firmware Dns-340l Dns-340l Firmware

Configuration 1 [-]

AND

cpe:2.3:o:dlink:dns-320_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:dlink:dns-320:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:dlink:dns-320lw_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:dlink:dns-320lw:-:*:*:*:*:*:*:*

Configuration 3 [-]

AND

cpe:2.3:o:dlink:dns-325_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:dlink:dns-325:-:*:*:*:*:*:*:*

Configuration 4 [-]

AND

cpe:2.3:o:dlink:dns-340l_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:dlink:dns-340l:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://netsecfish.notion.site/Command-Injection-Vulnerability-in-group-parameter-for-D-Link-NAS-12d6b683e67c803fa1a0c0d236c9a4c5?pvs=4
https://vuldb.com/?ctiid.283310
https://vuldb.com/?id.283310
https://vuldb.com/?submit.432848
https://www.dlink.com/

History

Fri, 08 Nov 2024 20:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Dlink dns-320 Dlink dns-320lw Dlink dns-325 Dlink dns-340l
CPEs		cpe:2.3:h:dlink:dns-320:-:::::::* cpe:2.3:h:dlink:dns-320lw:-:::::::* cpe:2.3:h:dlink:dns-325:-:::::::* cpe:2.3:h:dlink:dns-340l:-:::::::*
Vendors & Products		Dlink dns-320 Dlink dns-320lw Dlink dns-325 Dlink dns-340l

Wed, 06 Nov 2024 16:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Dlink Dlink dns-320 Firmware Dlink dns-320lw Firmware Dlink dns-325 Firmware Dlink dns-340l Firmware
CPEs		cpe:2.3:o:dlink:dns-320_firmware:::::::: cpe:2.3:o:dlink:dns-320lw_firmware:::::::: cpe:2.3:o:dlink:dns-325_firmware:::::::: cpe:2.3:o:dlink:dns-340l_firmware::::::::
Vendors & Products		Dlink Dlink dns-320 Firmware Dlink dns-320lw Firmware Dlink dns-325 Firmware Dlink dns-340l Firmware
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Wed, 06 Nov 2024 14:15:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was found in D-Link DNS-320, DNS-320LW, DNS-325 and DNS-340L up to 20241028. It has been rated as critical. Affected by this issue is the function cgi_user_add of the file /cgi-bin/account_mgr.cgi?cmd=cgi_user_add. The manipulation of the argument group leads to os command injection. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used.
Title		D-Link DNS-320/DNS-320LW/DNS-325/DNS-340L account_mgr.cgi cgi_user_add os command injection
Weaknesses		CWE-707 CWE-74 CWE-78
References		https://netsecfish.notion.site/Command-Injection-Vulnerability-in-group-parameter-for-D-Link-NAS-12d6b683e67c803fa1a0c0d236c9a4c5?pvs=4 https://vuldb.com/?ctiid.283310 https://vuldb.com/?id.283310 https://vuldb.com/?submit.432848 https://www.dlink.com/
Metrics		cvssV2_0 `{'score': 7.6, 'vector': 'AV:N/AC:H/Au:N/C:C/I:C/A:C'}` cvssV3_0 `{'score': 8.1, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}` cvssV3_1 `{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}` cvssV4_0 `{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2024-11-06T14:00:06.041Z

Updated: 2024-11-06T15:26:07.833Z

Reserved: 2024-11-06T07:07:56.135Z

Link: CVE-2024-10915

Vulnrichment

Updated: 2024-11-06T15:25:59.345Z

NVD

Status : Analyzed

Published: 2024-11-06T14:15:05.783

Modified: 2024-11-08T20:11:10.973

Link: CVE-2024-10915

Redhat

No data.

Metrics

Attack Vector Network

Attack Complexity High

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity High

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

Exploitation poc

Automatable no

Technical Impact total

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object