CVE-2024-10916

A vulnerability classified as problematic has been found in D-Link DNS-320, DNS-320LW, DNS-325 and DNS-340L up to 20241028. This affects an unknown part of the file /xml/info.xml of the component HTTP GET Request Handler. The manipulation leads to information disclosure. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

CVSS v3 5.3 MEDIUM
CVSS v2.0 5.0 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://netsecfish.notion.site/Information-Disclosure-Vulnerability-Report-in-xml-info-xml-for-D-Link-NAS-12d6b683e67c8019a311e699582f51b6?pvs=4	Exploit Third Party Advisory
https://vuldb.com/?ctiid.283311	Third Party Advisory
https://vuldb.com/?id.283311	Third Party Advisory
https://vuldb.com/?submit.432849	Third Party Advisory
https://www.dlink.com/	Product

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:dlink:dns-320_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:dlink:dns-320:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

cpe:2.3:o:dlink:dns-320lw_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:dlink:dns-320lw:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND

cpe:2.3:o:dlink:dns-325_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:dlink:dns-325:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND

cpe:2.3:o:dlink:dns-340l_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:dlink:dns-340l:-:*:*:*:*:*:*:*

History

08 Nov 2024, 20:11

Type	Values Removed	Values Added
CPE		cpe:2.3:h:dlink:dns-320:-:::::::* cpe:2.3:o:dlink:dns-320lw_firmware:::::::: cpe:2.3:h:dlink:dns-320lw:-:::::::* cpe:2.3:o:dlink:dns-340l_firmware:::::::: cpe:2.3:o:dlink:dns-325_firmware:::::::: cpe:2.3:h:dlink:dns-340l:-:::::::* cpe:2.3:o:dlink:dns-320_firmware:::::::: cpe:2.3:h:dlink:dns-325:-:::::::*
CWE		NVD-CWE-Other
First Time		Dlink dns-320lw Firmware Dlink dns-320lw Dlink dns-320 Firmware Dlink dns-340l Firmware Dlink Dlink dns-325 Dlink dns-320 Dlink dns-325 Firmware Dlink dns-340l
Summary		(es) Se ha detectado una vulnerabilidad clasificada como problemática en D-Link DNS-320, DNS-320LW, DNS-325 y DNS-340L hasta 20241028. Afecta a una parte desconocida del archivo /xml/info.xml del componente HTTP GET Request Handler. La manipulación conduce a la divulgación de información. Es posible iniciar el ataque de forma remota. El exploit se ha hecho público y puede utilizarse.
References	~~() https://netsecfish.notion.site/Information-Disclosure-Vulnerability-Report-in-xml-info-xml-for-D-Link-NAS-12d6b683e67c8019a311e699582f51b6?pvs=4 -~~	() https://netsecfish.notion.site/Information-Disclosure-Vulnerability-Report-in-xml-info-xml-for-D-Link-NAS-12d6b683e67c8019a311e699582f51b6?pvs=4 - Exploit, Third Party Advisory
References	~~() https://vuldb.com/?ctiid.283311 -~~	() https://vuldb.com/?ctiid.283311 - Third Party Advisory
References	~~() https://vuldb.com/?id.283311 -~~	() https://vuldb.com/?id.283311 - Third Party Advisory
References	~~() https://vuldb.com/?submit.432849 -~~	() https://vuldb.com/?submit.432849 - Third Party Advisory
References	~~() https://www.dlink.com/ -~~	() https://www.dlink.com/ - Product

06 Nov 2024, 16:15

Type	Values Removed	Values Added
CWE	~~CWE-266~~

06 Nov 2024, 15:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-11-06 15:15

Updated : 2024-11-08 20:11

NVD link : CVE-2024-10916

Mitre link : CVE-2024-10916

CVE.ORG link : CVE-2024-10916

JSON object : View

Products Affected

dlink

dns-320
dns-320lw
dns-320_firmware
dns-325_firmware
dns-320lw_firmware
dns-325
dns-340l_firmware
dns-340l

CWE

NVD-CWE-Other CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

CWE-284

Improper Access Control

5.3 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

5.0 /10

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

JSON object

Attach tags to CVE-2024-10916

5.3^/10

5.0^/10

Attach tags to `CVE-2024-10916`