A vulnerability, which was classified as critical, has been found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. This issue affects the function cgi_add_zip of the file /cgi-bin/webfile_mgr.cgi of the component HTTP POST Request Handler. The manipulation of the argument path leads to command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced.
References
Link | Resource |
---|---|
https://github.com/BuaaIOTTeam/Iot_Dlink_NAS/blob/main/DNS_cgi_add_zip.md | Exploit Third Party Advisory |
https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383 | Vendor Advisory |
https://vuldb.com/?ctiid.275699 | Permissions Required VDB Entry |
https://vuldb.com/?id.275699 | Third Party Advisory VDB Entry |
https://vuldb.com/?submit.396237 | Third Party Advisory VDB Entry |
https://www.dlink.com/ | Product |
Configurations
Configuration 1 (hide)
AND |
|
Configuration 2 (hide)
AND |
|
Configuration 3 (hide)
AND |
|
Configuration 4 (hide)
AND |
|
Configuration 5 (hide)
AND |
|
Configuration 6 (hide)
AND |
|
Configuration 7 (hide)
AND |
|
Configuration 8 (hide)
AND |
|
Configuration 9 (hide)
AND |
|
Configuration 10 (hide)
AND |
|
Configuration 11 (hide)
AND |
|
Configuration 12 (hide)
AND |
|
Configuration 13 (hide)
AND |
|
Configuration 14 (hide)
AND |
|
Configuration 15 (hide)
AND |
|
Configuration 16 (hide)
AND |
|
Configuration 17 (hide)
AND |
|
Configuration 18 (hide)
AND |
|
Configuration 19 (hide)
AND |
|
Configuration 20 (hide)
AND |
|
History
27 Aug 2024, 15:32
Type | Values Removed | Values Added |
---|---|---|
References | () https://github.com/BuaaIOTTeam/Iot_Dlink_NAS/blob/main/DNS_cgi_add_zip.md - Exploit, Third Party Advisory | |
References | () https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383 - Vendor Advisory | |
References | () https://vuldb.com/?ctiid.275699 - Permissions Required, VDB Entry | |
References | () https://vuldb.com/?id.275699 - Third Party Advisory, VDB Entry | |
References | () https://vuldb.com/?submit.396237 - Third Party Advisory, VDB Entry | |
References | () https://www.dlink.com/ - Product | |
CVSS |
v2 : v3 : |
v2 : 6.5
v3 : 9.8 |
First Time |
Dlink dns-1100-4
Dlink dns-326 Dlink dns-320l Dlink dns-320 Firmware Dlink dns-325 Dlink dnr-322l Dlink dns-343 Firmware Dlink dns-320lw Dlink dns-325 Firmware Dlink dns-320lw Firmware Dlink dns-315l Dlink dns-320 Dlink dns-1550-04 Firmware Dlink dns-726-4 Firmware Dlink dns-315l Firmware Dlink dns-1550-04 Dlink dns-323 Firmware Dlink dns-320l Firmware Dlink dnr-202l Dlink dnr-326 Firmware Dlink dns-321 Dlink dns-726-4 Dlink dnr-322l Firmware Dlink dns-323 Dlink dns-1100-4 Firmware Dlink dnr-326 Dlink dns-1200-05 Firmware Dlink Dlink dns-340l Firmware Dlink dns-120 Firmware Dlink dns-327l Dlink dns-1200-05 Dlink dns-345 Firmware Dlink dns-340l Dlink dns-326 Firmware Dlink dns-120 Dlink dns-345 Dlink dns-343 Dlink dns-327l Firmware Dlink dnr-202l Firmware Dlink dns-321 Firmware |
|
CPE | cpe:2.3:o:dlink:dns-320l_firmware:-:*:*:*:*:*:*:* cpe:2.3:h:dlink:dns-315l:-:*:*:*:*:*:*:* cpe:2.3:o:dlink:dns-120_firmware:-:*:*:*:*:*:*:* cpe:2.3:h:dlink:dns-345:-:*:*:*:*:*:*:* cpe:2.3:h:dlink:dns-120:-:*:*:*:*:*:*:* cpe:2.3:h:dlink:dns-343:-:*:*:*:*:*:*:* cpe:2.3:o:dlink:dnr-326_firmware:-:*:*:*:*:*:*:* cpe:2.3:h:dlink:dnr-326:-:*:*:*:*:*:*:* cpe:2.3:o:dlink:dns-327l_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:dlink:dns-320lw_firmware:-:*:*:*:*:*:*:* cpe:2.3:h:dlink:dns-320l:-:*:*:*:*:*:*:* cpe:2.3:o:dlink:dns-323_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:dlink:dns-1550-04_firmware:-:*:*:*:*:*:*:* cpe:2.3:h:dlink:dnr-202l:-:*:*:*:*:*:*:* cpe:2.3:h:dlink:dns-1100-4:-:*:*:*:*:*:*:* cpe:2.3:h:dlink:dns-320:-:*:*:*:*:*:*:* cpe:2.3:o:dlink:dns-321_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:dlink:dns-340l_firmware:-:*:*:*:*:*:*:* cpe:2.3:h:dlink:dns-1550-04:-:*:*:*:*:*:*:* cpe:2.3:o:dlink:dns-1100-4_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:dlink:dns-1200-05_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:dlink:dns-345_firmware:-:*:*:*:*:*:*:* cpe:2.3:h:dlink:dns-325:-:*:*:*:*:*:*:* cpe:2.3:o:dlink:dns-343_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:dlink:dns-726-4_firmware:-:*:*:*:*:*:*:* cpe:2.3:h:dlink:dns-726-4:-:*:*:*:*:*:*:* cpe:2.3:o:dlink:dns-315l_firmware:-:*:*:*:*:*:*:* cpe:2.3:h:dlink:dns-340l:-:*:*:*:*:*:*:* cpe:2.3:o:dlink:dnr-322l_firmware:-:*:*:*:*:*:*:* cpe:2.3:h:dlink:dns-326:-:*:*:*:*:*:*:* cpe:2.3:h:dlink:dns-327l:-:*:*:*:*:*:*:* cpe:2.3:h:dlink:dnr-322l:-:*:*:*:*:*:*:* cpe:2.3:h:dlink:dns-320lw:-:*:*:*:*:*:*:* cpe:2.3:o:dlink:dns-326_firmware:-:*:*:*:*:*:*:* cpe:2.3:h:dlink:dns-1200-05:-:*:*:*:*:*:*:* cpe:2.3:o:dlink:dns-320_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:dlink:dnr-202l_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:dlink:dns-325_firmware:-:*:*:*:*:*:*:* cpe:2.3:h:dlink:dns-323:-:*:*:*:*:*:*:* cpe:2.3:h:dlink:dns-321:-:*:*:*:*:*:*:* |
|
CWE | CWE-78 |
26 Aug 2024, 12:47
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
24 Aug 2024, 12:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-08-24 12:15
Updated : 2024-08-27 15:32
NVD link : CVE-2024-8128
Mitre link : CVE-2024-8128
CVE.ORG link : CVE-2024-8128
JSON object : View
Products Affected
dlink
- dns-345_firmware
- dns-321
- dns-120_firmware
- dns-1200-05
- dns-343
- dns-325
- dnr-202l
- dns-1550-04_firmware
- dns-315l
- dns-326_firmware
- dns-320l_firmware
- dns-327l_firmware
- dns-1100-4_firmware
- dns-320lw
- dns-1200-05_firmware
- dns-321_firmware
- dns-325_firmware
- dns-345
- dns-320lw_firmware
- dns-1550-04
- dnr-202l_firmware
- dnr-326_firmware
- dns-320
- dns-323_firmware
- dns-320_firmware
- dnr-326
- dns-327l
- dns-726-4_firmware
- dns-340l_firmware
- dns-340l
- dns-315l_firmware
- dns-120
- dnr-322l
- dns-1100-4
- dns-343_firmware
- dns-326
- dnr-322l_firmware
- dns-323
- dns-726-4
- dns-320l