A vulnerability was found in D-Link DNS-320, DNS-320LW, DNS-325 and DNS-340L up to 20241028. It has been rated as critical. Affected by this issue is the function cgi_user_add of the file /cgi-bin/account_mgr.cgi?cmd=cgi_user_add. The manipulation of the argument group leads to os command injection. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used.
History

Fri, 08 Nov 2024 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Dlink dns-320
Dlink dns-320lw
Dlink dns-325
Dlink dns-340l
CPEs cpe:2.3:h:dlink:dns-320:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-320lw:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-325:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-340l:-:*:*:*:*:*:*:*
Vendors & Products Dlink dns-320
Dlink dns-320lw
Dlink dns-325
Dlink dns-340l

Wed, 06 Nov 2024 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Dlink
Dlink dns-320 Firmware
Dlink dns-320lw Firmware
Dlink dns-325 Firmware
Dlink dns-340l Firmware
CPEs cpe:2.3:o:dlink:dns-320_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:dlink:dns-320lw_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:dlink:dns-325_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:dlink:dns-340l_firmware:*:*:*:*:*:*:*:*
Vendors & Products Dlink
Dlink dns-320 Firmware
Dlink dns-320lw Firmware
Dlink dns-325 Firmware
Dlink dns-340l Firmware
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 06 Nov 2024 14:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in D-Link DNS-320, DNS-320LW, DNS-325 and DNS-340L up to 20241028. It has been rated as critical. Affected by this issue is the function cgi_user_add of the file /cgi-bin/account_mgr.cgi?cmd=cgi_user_add. The manipulation of the argument group leads to os command injection. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used.
Title D-Link DNS-320/DNS-320LW/DNS-325/DNS-340L account_mgr.cgi cgi_user_add os command injection
Weaknesses CWE-707
CWE-74
CWE-78
References
Metrics cvssV2_0

{'score': 7.6, 'vector': 'AV:N/AC:H/Au:N/C:C/I:C/A:C'}

cvssV3_0

{'score': 8.1, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2024-11-06T14:00:06.041Z

Updated: 2024-11-06T15:26:07.833Z

Reserved: 2024-11-06T07:07:56.135Z

Link: CVE-2024-10915

cve-icon Vulnrichment

Updated: 2024-11-06T15:25:59.345Z

cve-icon NVD

Status : Analyzed

Published: 2024-11-06T14:15:05.783

Modified: 2024-11-08T20:11:10.973

Link: CVE-2024-10915

cve-icon Redhat

No data.