CVE-2024-10914

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-10914
A vulnerability was found in D-Link DNS-320, DNS-320LW, DNS-325 and DNS-340L up to 20241028. It has been declared as critical. Affected by this vulnerability is the function cgi_user_add of the file /cgi-bin/account_mgr.cgi?cmd=cgi_user_add. The manipulation of the argument name leads to os command injection. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used.

9.8 /10

CVSS v3.0 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://netsecfish.notion.site/Command-Injection-Vulnerability-in-name-parameter-for-D-Link-NAS-12d6b683e67c80c49ffcc9214c239a07?pvs=4 Exploit Third Party Advisory
https://vuldb.com/?ctiid.283309 Permissions Required
https://vuldb.com/?id.283309 Permissions Required Third Party Advisory
https://vuldb.com/?submit.432847 Third Party Advisory
https://www.bleepingcomputer.com/news/security/d-link-wont-fix-critical-flaw-affecting-60-000-older-nas-devices/
https://www.dlink.com/ Product
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:dlink:dns-320_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-320:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND
cpe:2.3:o:dlink:dns-320lw_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-320lw:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND
cpe:2.3:o:dlink:dns-325_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-325:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND
cpe:2.3:o:dlink:dns-340l_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-340l:-:*:*:*:*:*:*:*
History

24 Nov 2024, 15:15

Type Values Removed Values Added
CWE CWE-78
CWE-707
CWE-74
References
  • () https://www.bleepingcomputer.com/news/security/d-link-wont-fix-critical-flaw-affecting-60-000-older-nas-devices/ -

08 Nov 2024, 19:53

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 9.8
References () https://vuldb.com/?id.283309 - () https://vuldb.com/?id.283309 - Permissions Required, Third Party Advisory
References () https://www.dlink.com/ - () https://www.dlink.com/ - Product
References () https://netsecfish.notion.site/Command-Injection-Vulnerability-in-name-parameter-for-D-Link-NAS-12d6b683e67c80c49ffcc9214c239a07?pvs=4 - () https://netsecfish.notion.site/Command-Injection-Vulnerability-in-name-parameter-for-D-Link-NAS-12d6b683e67c80c49ffcc9214c239a07?pvs=4 - Exploit, Third Party Advisory
References () https://vuldb.com/?submit.432847 - () https://vuldb.com/?submit.432847 - Third Party Advisory
References () https://vuldb.com/?ctiid.283309 - () https://vuldb.com/?ctiid.283309 - Permissions Required
CPE cpe:2.3:h:dlink:dns-320lw:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-325:-:*:*:*:*:*:*:*
cpe:2.3:o:dlink:dns-325_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:dlink:dns-340l_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:dlink:dns-320_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-340l:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-320:-:*:*:*:*:*:*:*
cpe:2.3:o:dlink:dns-320lw_firmware:*:*:*:*:*:*:*:*
First Time Dlink dns-325 Firmware
Dlink dns-320
Dlink dns-340l
Dlink
Dlink dns-340l Firmware
Dlink dns-320 Firmware
Dlink dns-325
Dlink dns-320lw Firmware
Dlink dns-320lw

06 Nov 2024, 14:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-11-06 14:15

Updated : 2024-11-24 15:15

NVD link : CVE-2024-10914

Mitre link : CVE-2024-10914

JSON object : View

Products Affected

dlink

  • dns-340l
  • dns-340l_firmware
  • dns-325
  • dns-320lw_firmware
  • dns-320lw
  • dns-320
  • dns-325_firmware
  • dns-320_firmware
CWE

No CWE.