A vulnerability was found in D-Link DNS-320, DNS-320LW, DNS-325 and DNS-340L up to 20241028. It has been declared as critical. Affected by this vulnerability is the function cgi_user_add of the file /cgi-bin/account_mgr.cgi?cmd=cgi_user_add. The manipulation of the argument name leads to os command injection. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used.
History

Sun, 24 Nov 2024 15:30:00 +0000


Fri, 08 Nov 2024 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Dlink dns-320
Dlink dns-320lw
Dlink dns-325
Dlink dns-340l
CPEs cpe:2.3:h:dlink:dns-320:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-320lw:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-325:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-340l:-:*:*:*:*:*:*:*
Vendors & Products Dlink dns-320
Dlink dns-320lw
Dlink dns-325
Dlink dns-340l

Wed, 06 Nov 2024 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Dlink
Dlink dns-320 Firmware
Dlink dns-320lw Firmware
Dlink dns-325 Firmware
Dlink dns-340l Firmware
CPEs cpe:2.3:o:dlink:dns-320_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:dlink:dns-320lw_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:dlink:dns-325_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:dlink:dns-340l_firmware:*:*:*:*:*:*:*:*
Vendors & Products Dlink
Dlink dns-320 Firmware
Dlink dns-320lw Firmware
Dlink dns-325 Firmware
Dlink dns-340l Firmware
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 06 Nov 2024 13:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in D-Link DNS-320, DNS-320LW, DNS-325 and DNS-340L up to 20241028. It has been declared as critical. Affected by this vulnerability is the function cgi_user_add of the file /cgi-bin/account_mgr.cgi?cmd=cgi_user_add. The manipulation of the argument name leads to os command injection. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used.
Title D-Link DNS-320/DNS-320LW/DNS-325/DNS-340L account_mgr.cgi cgi_user_add os command injection
Weaknesses CWE-707
CWE-74
CWE-78
References
Metrics cvssV2_0

{'score': 7.6, 'vector': 'AV:N/AC:H/Au:N/C:C/I:C/A:C'}

cvssV3_0

{'score': 8.1, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2024-11-06T13:31:05.242Z

Updated: 2024-11-24T14:48:27.443Z

Reserved: 2024-11-06T07:07:50.772Z

Link: CVE-2024-10914

cve-icon Vulnrichment

Updated: 2024-11-24T14:48:27.443Z

cve-icon NVD

Status : Modified

Published: 2024-11-06T14:15:05.310

Modified: 2024-11-24T15:15:06.090

Link: CVE-2024-10914

cve-icon Redhat

No data.