Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2024-10915
PUBLISHED
More InfoOfficial Page
Assigner-VulDB
Assigner Org ID-1af790b2-7ee1-4545-860a-a788eba489b5
View Known Exploited Vulnerability (KEV) details
Published At-06 Nov, 2024 | 14:00
Updated At-06 Nov, 2024 | 15:26
Rejected At-
▼CVE Numbering Authority (CNA)
D-Link DNS-320/DNS-320LW/DNS-325/DNS-340L account_mgr.cgi cgi_user_add os command injection

A vulnerability was found in D-Link DNS-320, DNS-320LW, DNS-325 and DNS-340L up to 20241028. It has been rated as critical. Affected by this issue is the function cgi_user_add of the file /cgi-bin/account_mgr.cgi?cmd=cgi_user_add. The manipulation of the argument group leads to os command injection. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used.

Affected Products
Vendor
D-Link CorporationD-Link
Product
DNS-320
Versions
Affected
  • 20241028
Vendor
D-Link CorporationD-Link
Product
DNS-320LW
Versions
Affected
  • 20241028
Vendor
D-Link CorporationD-Link
Product
DNS-325
Versions
Affected
  • 20241028
Vendor
D-Link CorporationD-Link
Product
DNS-340L
Versions
Affected
  • 20241028
Problem Types
TypeCWE IDDescription
CWECWE-78OS Command Injection
CWECWE-74Injection
CWECWE-707Improper Neutralization
Type: CWE
CWE ID: CWE-78
Description: OS Command Injection
Type: CWE
CWE ID: CWE-74
Description: Injection
Type: CWE
CWE ID: CWE-707
Description: Improper Neutralization
Metrics
VersionBase scoreBase severityVector
4.09.2CRITICAL
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
3.18.1HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
3.08.1HIGH
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
2.07.6N/A
AV:N/AC:H/Au:N/C:C/I:C/A:C
Version: 4.0
Base score: 9.2
Base severity: CRITICAL
Vector:
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Version: 3.1
Base score: 8.1
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Version: 3.0
Base score: 8.1
Base severity: HIGH
Vector:
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Version: 2.0
Base score: 7.6
Base severity: N/A
Vector:
AV:N/AC:H/Au:N/C:C/I:C/A:C
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
reporter
netsecfish (VulDB User)
Timeline
EventDate
Advisory disclosed2024-11-06 00:00:00
VulDB entry created2024-11-06 01:00:00
VulDB entry last update2024-11-06 08:13:06
Event: Advisory disclosed
Date: 2024-11-06 00:00:00
Event: VulDB entry created
Date: 2024-11-06 01:00:00
Event: VulDB entry last update
Date: 2024-11-06 08:13:06
Replaced By
Rejected Reason
References
HyperlinkResource
https://vuldb.com/?id.283310
vdb-entry
technical-description
https://vuldb.com/?ctiid.283310
signature
permissions-required
https://vuldb.com/?submit.432848
third-party-advisory
https://netsecfish.notion.site/Command-Injection-Vulnerability-in-group-parameter-for-D-Link-NAS-12d6b683e67c803fa1a0c0d236c9a4c5?pvs=4
exploit
https://www.dlink.com/
product
Hyperlink: https://vuldb.com/?id.283310
Resource:
vdb-entry
technical-description
Hyperlink: https://vuldb.com/?ctiid.283310
Resource:
signature
permissions-required
Hyperlink: https://vuldb.com/?submit.432848
Resource:
third-party-advisory
Hyperlink: https://netsecfish.notion.site/Command-Injection-Vulnerability-in-group-parameter-for-D-Link-NAS-12d6b683e67c803fa1a0c0d236c9a4c5?pvs=4
Resource:
exploit
Hyperlink: https://www.dlink.com/
Resource:
product
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Vendor
D-Link Corporationdlink
Product
dns-320_firmware
CPEs
  • cpe:2.3:o:dlink:dns-320_firmware:*:*:*:*:*:*:*:*
Default Status
unknown
Versions
Affected
  • 1.00
Vendor
D-Link Corporationdlink
Product
dns-320lw_firmware
CPEs
  • cpe:2.3:o:dlink:dns-320lw_firmware:*:*:*:*:*:*:*:*
Default Status
unknown
Versions
Affected
  • 1.01.0914.2012
Vendor
D-Link Corporationdlink
Product
dns-325_firmware
CPEs
  • cpe:2.3:o:dlink:dns-325_firmware:*:*:*:*:*:*:*:*
Default Status
unknown
Versions
Affected
  • 1.01
  • 1.02
Vendor
D-Link Corporationdlink
Product
dns-340l_firmware
CPEs
  • cpe:2.3:o:dlink:dns-340l_firmware:*:*:*:*:*:*:*:*
Default Status
unknown
Versions
Affected
  • 1.08
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Details not found