{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-7357", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2024-08-01T06:10:51.582Z", "datePublished": "2024-08-01T13:00:09.320Z", "dateUpdated": "2024-08-07T13:55:58.954Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2024-08-01T13:00:09.320Z"}, "title": "D-Link DIR-600 soap.cgi soapcgi_main os command injection", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-78", "lang": "en", "description": "CWE-78 OS Command Injection"}]}], "affected": [{"vendor": "D-Link", "product": "DIR-600", "versions": [{"version": "2.0", "status": "affected"}, {"version": "2.1", "status": "affected"}, {"version": "2.2", "status": "affected"}, {"version": "2.3", "status": "affected"}, {"version": "2.4", "status": "affected"}, {"version": "2.5", "status": "affected"}, {"version": "2.6", "status": "affected"}, {"version": "2.7", "status": "affected"}, {"version": "2.8", "status": "affected"}, {"version": "2.9", "status": "affected"}, {"version": "2.10", "status": "affected"}, {"version": "2.11", "status": "affected"}, {"version": "2.12", "status": "affected"}, {"version": "2.13", "status": "affected"}, {"version": "2.14", "status": "affected"}, {"version": "2.15", "status": "affected"}, {"version": "2.16", "status": "affected"}, {"version": "2.17", "status": "affected"}, {"version": "2.18", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in D-Link DIR-600 up to 2.18. It has been rated as critical. This issue affects the function soapcgi_main of the file /soap.cgi. The manipulation of the argument service leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-273329 was assigned to this vulnerability. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed immediately that the product is end-of-life. It should be retired and replaced."}, {"lang": "de", "value": "Eine Schwachstelle wurde in D-Link DIR-600 bis 2.18 ausgemacht. Sie wurde als kritisch eingestuft. Hierbei geht es um die Funktion soapcgi_main der Datei /soap.cgi. Dank Manipulation des Arguments service mit unbekannten Daten kann eine os command injection-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff \u00fcber das Netzwerk. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 6.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "timeline": [{"time": "2024-08-01T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2024-08-01T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2024-08-01T08:16:22.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "BeaCox (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.273329", "name": "VDB-273329 | D-Link DIR-600 soap.cgi soapcgi_main os command injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.273329", "name": "VDB-273329 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.383695", "name": "Submit #383695 | D-Link DIR-600  2.18 Command Injection", "tags": ["third-party-advisory"]}, {"url": "https://github.com/BeaCox/IoT_vuln/tree/main/D-Link/DIR-600/soapcgi_main_injection", "tags": ["exploit"]}, {"url": "https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10408", "tags": ["related"]}], "tags": ["unsupported-when-assigned"]}, "adp": [{"affected": [{"vendor": "d-link", "product": "dir-600", "cpes": ["cpe:2.3:h:d-link:dir-600:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "2.0", "status": "affected"}, {"version": "2.1", "status": "affected"}, {"version": "2.2", "status": "affected"}, {"version": "2.3", "status": "affected"}, {"version": "2.4", "status": "affected"}, {"version": "2.5", "status": "affected"}, {"version": "2.6", "status": "affected"}, {"version": "2.7", "status": "affected"}, {"version": "2.8", "status": "affected"}, {"version": "2.9", "status": "affected"}, {"version": "2.10", "status": "affected"}, {"version": "2.11", "status": "affected"}, {"version": "2.12", "status": "affected"}, {"version": "2.13", "status": "affected"}, {"version": "2.14", "status": "affected"}, {"version": "2.15", "status": "affected"}, {"version": "2.16", "status": "affected"}, {"version": "2.17", "status": "affected"}, {"version": "2.18", "status": "affected"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-07T13:50:41.237527Z", "id": "CVE-2024-7357", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-07T13:55:58.954Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-7357", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-08-07T13:50:41.237527Z"}}}], "affected": [{"cpes": ["cpe:2.3:h:d-link:dir-600:*:*:*:*:*:*:*:*"], "vendor": "d-link", "product": "dir-600", "versions": [{"status": "affected", "version": "2.0"}, {"status": "affected", "version": "2.1"}, {"status": "affected", "version": "2.2"}, {"status": "affected", "version": "2.3"}, {"status": "affected", "version": "2.4"}, {"status": "affected", "version": "2.5"}, {"status": "affected", "version": "2.6"}, {"status": "affected", "version": "2.7"}, {"status": "affected", "version": "2.8"}, {"status": "affected", "version": "2.9"}, {"status": "affected", "version": "2.10"}, {"status": "affected", "version": "2.11"}, {"status": "affected", "version": "2.12"}, {"status": "affected", "version": "2.13"}, {"status": "affected", "version": "2.14"}, {"status": "affected", "version": "2.15"}, {"status": "affected", "version": "2.16"}, {"status": "affected", "version": "2.17"}, {"status": "affected", "version": "2.18"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-07T13:55:41.056Z"}}], "cna": {"tags": ["unsupported-when-assigned"], "title": "D-Link DIR-600 soap.cgi soapcgi_main os command injection", "credits": [{"lang": "en", "type": "reporter", "value": "BeaCox (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "affected": [{"vendor": "D-Link", "product": "DIR-600", "versions": [{"status": "affected", "version": "2.0"}, {"status": "affected", "version": "2.1"}, {"status": "affected", "version": "2.2"}, {"status": "affected", "version": "2.3"}, {"status": "affected", "version": "2.4"}, {"status": "affected", "version": "2.5"}, {"status": "affected", "version": "2.6"}, {"status": "affected", "version": "2.7"}, {"status": "affected", "version": "2.8"}, {"status": "affected", "version": "2.9"}, {"status": "affected", "version": "2.10"}, {"status": "affected", "version": "2.11"}, {"status": "affected", "version": "2.12"}, {"status": "affected", "version": "2.13"}, {"status": "affected", "version": "2.14"}, {"status": "affected", "version": "2.15"}, {"status": "affected", "version": "2.16"}, {"status": "affected", "version": "2.17"}, {"status": "affected", "version": "2.18"}]}], "timeline": [{"lang": "en", "time": "2024-08-01T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2024-08-01T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2024-08-01T08:16:22.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.273329", "name": "VDB-273329 | D-Link DIR-600 soap.cgi soapcgi_main os command injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.273329", "name": "VDB-273329 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.383695", "name": "Submit #383695 | D-Link DIR-600  2.18 Command Injection", "tags": ["third-party-advisory"]}, {"url": "https://github.com/BeaCox/IoT_vuln/tree/main/D-Link/DIR-600/soapcgi_main_injection", "tags": ["exploit"]}, {"url": "https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10408", "tags": ["related"]}], "descriptions": [{"lang": "en", "value": "** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in D-Link DIR-600 up to 2.18. It has been rated as critical. This issue affects the function soapcgi_main of the file /soap.cgi. The manipulation of the argument service leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-273329 was assigned to this vulnerability. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed immediately that the product is end-of-life. It should be retired and replaced."}, {"lang": "de", "value": "Eine Schwachstelle wurde in D-Link DIR-600 bis 2.18 ausgemacht. Sie wurde als kritisch eingestuft. Hierbei geht es um die Funktion soapcgi_main der Datei /soap.cgi. Dank Manipulation des Arguments service mit unbekannten Daten kann eine os command injection-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff \u00fcber das Netzwerk. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78 OS Command Injection"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2024-08-01T13:00:09.320Z"}}}, "cveMetadata": {"cveId": "CVE-2024-7357", "state": "PUBLISHED", "dateUpdated": "2024-08-07T13:55:58.954Z", "dateReserved": "2024-08-01T06:10:51.582Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2024-08-01T13:00:09.320Z", "assignerShortName": "VulDB"}, "dataVersion": "5.1"}

{"cveTags": [{"sourceIdentifier": "cna@vuldb.com", "tags": ["unsupported-when-assigned"]}], "descriptions": [{"lang": "en", "value": "** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in D-Link DIR-600 up to 2.18. It has been rated as critical. This issue affects the function soapcgi_main of the file /soap.cgi. The manipulation of the argument service leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-273329 was assigned to this vulnerability. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed immediately that the product is end-of-life. It should be retired and replaced."}, {"lang": "es", "value": "** NO SOPORTADO CUANDO SE ASIGN\u00d3 ** Se encontr\u00f3 una vulnerabilidad en D-Link DIR-600 hasta 2.18. Ha sido calificada como cr\u00edtica. Este problema afecta la funci\u00f3n Soapcgi_main del archivo /soap.cgi. La manipulaci\u00f3n del argumento service conduce a la inyecci\u00f3n de comandos del sistema operativo. El ataque puede iniciarse de forma remota. El exploit ha sido divulgado al p\u00fablico y puede utilizarse. A esta vulnerabilidad se le asign\u00f3 el identificador VDB-273329. NOTA: Esta vulnerabilidad solo afecta a productos que ya no son compatibles con el mantenedor. NOTA: Se contact\u00f3 al proveedor tempranamente y se confirm\u00f3 de inmediato que el producto ha llegado al final de su vida \u00fatil. Deber\u00eda retirarse y reemplazarse."}], "id": "CVE-2024-7357", "lastModified": "2024-08-07T14:15:33.230", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "automatable": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirements": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "recovery": "NOT_DEFINED", "safety": "NOT_DEFINED", "subsequentSystemAvailability": "NONE", "subsequentSystemConfidentiality": "NONE", "subsequentSystemIntegrity": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnerabilityResponseEffort": "NOT_DEFINED", "vulnerableSystemAvailability": "LOW", "vulnerableSystemConfidentiality": "LOW", "vulnerableSystemIntegrity": "LOW"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2024-08-01T13:15:10.950", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/BeaCox/IoT_vuln/tree/main/D-Link/DIR-600/soapcgi_main_injection"}, {"source": "cna@vuldb.com", "url": "https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10408"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?ctiid.273329"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?id.273329"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?submit.383695"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}