CVE-2024-3273

** UNSUPPORTED WHEN ASSIGNED ** A vulnerability, which was classified as critical, was found in D-Link DNS-320L, DNS-325, DNS-327L and DNS-340L up to 20240403. Affected is an unknown function of the file /cgi-bin/nas_sharing.cgi of the component HTTP GET Request Handler. The manipulation of the argument system leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-259284. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed immediately that the product is end-of-life. It should be retired and replaced.
References
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:dlink:dns-320l_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-320l:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND
cpe:2.3:o:dlink:dns-120_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-120:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND
cpe:2.3:o:dlink:dnr-202l_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dnr-202l:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND
cpe:2.3:o:dlink:dns-315l_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-315l:-:*:*:*:*:*:*:*

Configuration 5 (hide)

AND
cpe:2.3:o:dlink:dns-320_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-320:-:*:*:*:*:*:*:*

Configuration 6 (hide)

AND
cpe:2.3:o:dlink:dns-320lw_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-320lw:-:*:*:*:*:*:*:*

Configuration 7 (hide)

AND
cpe:2.3:o:dlink:dns-321_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-321:-:*:*:*:*:*:*:*

Configuration 8 (hide)

AND
cpe:2.3:o:dlink:dnr-322l_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dnr-322l:-:*:*:*:*:*:*:*

Configuration 9 (hide)

AND
cpe:2.3:o:dlink:dns-323_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-323:-:*:*:*:*:*:*:*

Configuration 10 (hide)

AND
cpe:2.3:o:dlink:dns-325_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-325:-:*:*:*:*:*:*:*

Configuration 11 (hide)

AND
cpe:2.3:o:dlink:dns-326_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-326:-:*:*:*:*:*:*:*

Configuration 12 (hide)

AND
cpe:2.3:o:dlink:dns-327l_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-327l:-:*:*:*:*:*:*:*

Configuration 13 (hide)

AND
cpe:2.3:o:dlink:dnr-326_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dnr-326:-:*:*:*:*:*:*:*

Configuration 14 (hide)

AND
cpe:2.3:o:dlink:dns-340l_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-340l:-:*:*:*:*:*:*:*

Configuration 15 (hide)

AND
cpe:2.3:o:dlink:dns-343_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-343:-:*:*:*:*:*:*:*

Configuration 16 (hide)

AND
cpe:2.3:o:dlink:dns-345_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-345:-:*:*:*:*:*:*:*

Configuration 17 (hide)

AND
cpe:2.3:o:dlink:dns-726-4_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-726-4:-:*:*:*:*:*:*:*

Configuration 18 (hide)

AND
cpe:2.3:o:dlink:dns-1100-4_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-1100-4:-:*:*:*:*:*:*:*

Configuration 19 (hide)

AND
cpe:2.3:o:dlink:dns-1200-05_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-1200-05:-:*:*:*:*:*:*:*

Configuration 20 (hide)

AND
cpe:2.3:o:dlink:dns-1550-04_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-1550-04:-:*:*:*:*:*:*:*

History

15 Apr 2024, 20:13

Type Values Removed Values Added
CVSS v2 : 7.5
v3 : 7.3
v2 : 7.5
v3 : 9.8
First Time Dlink dns-1200-05
Dlink dnr-202l
Dlink dns-321
Dlink dns-1100-4
Dlink dnr-322l
Dlink dns-1200-05 Firmware
Dlink dns-321 Firmware
Dlink dns-315l Firmware
Dlink dns-340l Firmware
Dlink dns-320lw
Dlink dns-345
Dlink dns-120 Firmware
Dlink dns-325
Dlink dns-326
Dlink dns-726-4 Firmware
Dlink dns-323
Dlink
Dlink dns-1550-04 Firmware
Dlink dns-320l
Dlink dns-1100-4 Firmware
Dlink dns-320lw Firmware
Dlink dnr-326
Dlink dns-326 Firmware
Dlink dns-327l Firmware
Dlink dns-325 Firmware
Dlink dns-320
Dlink dns-120
Dlink dns-320 Firmware
Dlink dns-726-4
Dlink dns-327l
Dlink dns-1550-04
Dlink dns-340l
Dlink dnr-326 Firmware
Dlink dns-320l Firmware
Dlink dns-323 Firmware
Dlink dns-343 Firmware
Dlink dns-345 Firmware
Dlink dnr-202l Firmware
Dlink dnr-322l Firmware
Dlink dns-343
Dlink dns-315l
References () https://github.com/netsecfish/dlink - () https://github.com/netsecfish/dlink - Exploit, Third Party Advisory
References () https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383 - () https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383 - Vendor Advisory
References () https://vuldb.com/?ctiid.259284 - () https://vuldb.com/?ctiid.259284 - Permissions Required
References () https://vuldb.com/?id.259284 - () https://vuldb.com/?id.259284 - Third Party Advisory
References () https://vuldb.com/?submit.304661 - () https://vuldb.com/?submit.304661 - Third Party Advisory
CPE cpe:2.3:o:dlink:dns-323_firmware:-:*:*:*:*:*:*:*
cpe:2.3:o:dlink:dns-345_firmware:-:*:*:*:*:*:*:*
cpe:2.3:o:dlink:dns-1100-4_firmware:-:*:*:*:*:*:*:*
cpe:2.3:o:dlink:dns-1550-04_firmware:-:*:*:*:*:*:*:*
cpe:2.3:o:dlink:dnr-326_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-326:-:*:*:*:*:*:*:*
cpe:2.3:o:dlink:dnr-202l_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-320l:-:*:*:*:*:*:*:*
cpe:2.3:o:dlink:dns-325_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-1200-05:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dnr-322l:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dnr-202l:-:*:*:*:*:*:*:*
cpe:2.3:o:dlink:dns-343_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-323:-:*:*:*:*:*:*:*
cpe:2.3:o:dlink:dns-326_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-320lw:-:*:*:*:*:*:*:*
cpe:2.3:o:dlink:dns-320l_firmware:-:*:*:*:*:*:*:*
cpe:2.3:o:dlink:dns-726-4_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-321:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-120:-:*:*:*:*:*:*:*
cpe:2.3:o:dlink:dns-321_firmware:-:*:*:*:*:*:*:*
cpe:2.3:o:dlink:dns-320_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-726-4:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-343:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dnr-326:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-345:-:*:*:*:*:*:*:*
cpe:2.3:o:dlink:dns-1200-05_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-340l:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-327l:-:*:*:*:*:*:*:*
cpe:2.3:o:dlink:dns-315l_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-325:-:*:*:*:*:*:*:*
cpe:2.3:o:dlink:dns-327l_firmware:-:*:*:*:*:*:*:*
cpe:2.3:o:dlink:dns-340l_firmware:-:*:*:*:*:*:*:*
cpe:2.3:o:dlink:dns-320lw_firmware:-:*:*:*:*:*:*:*
cpe:2.3:o:dlink:dns-120_firmware:-:*:*:*:*:*:*:*
cpe:2.3:o:dlink:dnr-322l_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-315l:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-1100-4:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-1550-04:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-320:-:*:*:*:*:*:*:*

11 Apr 2024, 10:15

Type Values Removed Values Added
References
  • {'url': 'https://news.ycombinator.com/item?id=39960107', 'source': 'cna@vuldb.com'}

07 Apr 2024, 14:15

Type Values Removed Values Added
References
  • () https://news.ycombinator.com/item?id=39960107 -

05 Apr 2024, 05:15

Type Values Removed Values Added
Summary
  • (es) ** NO SOPORTADO CUANDO SE ASIGNÓ ** Se ha encontrado una vulnerabilidad clasificada como crítica en D-Link DNS-320L, DNS-325, DNS-327L y DNS-340L hasta 20240403. Una función desconocida del archivo / cgi-bin/nas_sharing.cgi del componente HTTP GET Request Handler. La manipulación del SYSTEM de argumentos conduce a la inyección de comandos. Es posible lanzar el ataque de forma remota. El exploit ha sido divulgado al público y puede utilizarse. El identificador de esta vulnerabilidad es VDB-259284. NOTA: Esta vulnerabilidad solo afecta a productos que ya no son compatibles con el fabricante. NOTA: Se contactó primeramente con el proveedor y se confirmó de inmediato que el producto ha llegado al final de su vida útil. Debería retirarse y reemplazarse.
References
  • () https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383 -

04 Apr 2024, 04:15

Type Values Removed Values Added
Summary (en) A vulnerability, which was classified as critical, was found in D-Link DNS-320L, DNS-325, DNS-327L and DNS-340L up to 20240403. Affected is an unknown function of the file /cgi-bin/nas_sharing.cgi of the component HTTP GET Request Handler. The manipulation of the argument system leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-259284. NOTE: Vendor was contacted early and confirmed immediately that the product is end-of-life. It should be retired and replaced. (en) ** UNSUPPORTED WHEN ASSIGNED ** A vulnerability, which was classified as critical, was found in D-Link DNS-320L, DNS-325, DNS-327L and DNS-340L up to 20240403. Affected is an unknown function of the file /cgi-bin/nas_sharing.cgi of the component HTTP GET Request Handler. The manipulation of the argument system leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-259284. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed immediately that the product is end-of-life. It should be retired and replaced.

04 Apr 2024, 01:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-04-04 01:15

Updated : 2024-08-14 19:31


NVD link : CVE-2024-3273

Mitre link : CVE-2024-3273

CVE.ORG link : CVE-2024-3273


JSON object : View

Products Affected

dlink

  • dns-1100-4_firmware
  • dns-327l
  • dns-343
  • dns-1550-04_firmware
  • dns-325
  • dns-1550-04
  • dnr-202l_firmware
  • dns-321
  • dns-1200-05
  • dns-340l
  • dns-120
  • dns-343_firmware
  • dns-120_firmware
  • dns-315l_firmware
  • dns-320_firmware
  • dns-726-4
  • dns-1200-05_firmware
  • dns-320l
  • dns-345_firmware
  • dns-326_firmware
  • dns-1100-4
  • dns-320lw
  • dns-323_firmware
  • dns-323
  • dns-326
  • dns-726-4_firmware
  • dnr-326
  • dns-320
  • dnr-202l
  • dnr-326_firmware
  • dns-345
  • dns-315l
  • dnr-322l
  • dns-320l_firmware
  • dns-340l_firmware
  • dns-327l_firmware
  • dns-321_firmware
  • dns-320lw_firmware
  • dnr-322l_firmware
  • dns-325_firmware
CWE
CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')