CVE-2024-10916 - OpenCVE

A vulnerability classified as problematic has been found in D-Link DNS-320, DNS-320LW, DNS-325 and DNS-340L up to 20241028. This affects an unknown part of the file /xml/info.xml of the component HTTP GET Request Handler. The manipulation leads to information disclosure. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Exploitation poc

Automatable yes

Technical Impact partial

Vendors	Products
Dlink	Dns-320 Dns-320 Firmware Dns-320lw Dns-320lw Firmware Dns-325 Dns-325 Firmware Dns-340l Dns-340l Firmware

Configuration 1 [-]

AND

cpe:2.3:o:dlink:dns-320_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:dlink:dns-320:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:dlink:dns-320lw_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:dlink:dns-320lw:-:*:*:*:*:*:*:*

Configuration 3 [-]

AND

cpe:2.3:o:dlink:dns-325_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:dlink:dns-325:-:*:*:*:*:*:*:*

Configuration 4 [-]

AND

cpe:2.3:o:dlink:dns-340l_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:dlink:dns-340l:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://netsecfish.notion.site/Information-Disclosure-Vulnerability-Report-in-xml-info-xml-for-D-Link-NAS-12d6b683e67c8019a311e699582f51b6?pvs=4
https://vuldb.com/?ctiid.283311
https://vuldb.com/?id.283311
https://vuldb.com/?submit.432849
https://www.dlink.com/

History

Fri, 08 Nov 2024 20:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Dlink dns-320 Dlink dns-320lw Dlink dns-325 Dlink dns-340l
Weaknesses		NVD-CWE-Other
CPEs		cpe:2.3:h:dlink:dns-320:-:::::::* cpe:2.3:h:dlink:dns-320lw:-:::::::* cpe:2.3:h:dlink:dns-325:-:::::::* cpe:2.3:h:dlink:dns-340l:-:::::::* cpe:2.3:o:dlink:dns-320_firmware:::::::: cpe:2.3:o:dlink:dns-320lw_firmware:::::::: cpe:2.3:o:dlink:dns-325_firmware:::::::: cpe:2.3:o:dlink:dns-340l_firmware::::::::
Vendors & Products		Dlink dns-320 Dlink dns-320lw Dlink dns-325 Dlink dns-340l

Wed, 06 Nov 2024 17:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Dlink Dlink dns-320 Firmware Dlink dns-320lw Firmware Dlink dns-325 Firmware Dlink dns-340l Firmware
CPEs		cpe:2.3:o:dlink:dns-320_firmware:20241028:::::::* cpe:2.3:o:dlink:dns-320lw_firmware:20241028:::::::* cpe:2.3:o:dlink:dns-325_firmware:20241028:::::::* cpe:2.3:o:dlink:dns-340l_firmware:20241028:::::::*
Vendors & Products		Dlink Dlink dns-320 Firmware Dlink dns-320lw Firmware Dlink dns-325 Firmware Dlink dns-340l Firmware
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 06 Nov 2024 16:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-266

Wed, 06 Nov 2024 15:15:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability classified as problematic has been found in D-Link DNS-320, DNS-320LW, DNS-325 and DNS-340L up to 20241028. This affects an unknown part of the file /xml/info.xml of the component HTTP GET Request Handler. The manipulation leads to information disclosure. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
Title		D-Link DNS-320/DNS-320LW/DNS-325/DNS-340L HTTP GET Request info.xml information disclosure
Weaknesses		CWE-200 CWE-266 CWE-284
References		https://netsecfish.notion.site/Information-Disclosure-Vulnerability-Report-in-xml-info-xml-for-D-Link-NAS-12d6b683e67c8019a311e699582f51b6?pvs=4 https://vuldb.com/?ctiid.283311 https://vuldb.com/?id.283311 https://vuldb.com/?submit.432849 https://www.dlink.com/
Metrics		cvssV2_0 `{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:N/A:N'}` cvssV3_0 `{'score': 5.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}` cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}` cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2024-11-06T15:00:08.202Z

Updated: 2024-11-06T16:15:00.331Z

Reserved: 2024-11-06T07:07:58.999Z

Link: CVE-2024-10916

Vulnrichment

Updated: 2024-11-06T16:14:45.689Z

NVD

Status : Analyzed

Published: 2024-11-06T15:15:12.123

Modified: 2024-11-08T20:11:37.567

Link: CVE-2024-10916

Redhat

No data.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Exploitation poc

Automatable yes

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object