Unrated severityNVD Advisory· Published Nov 6, 2024· Updated Nov 6, 2024

D-Link DNS-320/DNS-320LW/DNS-325/DNS-340L account_mgr.cgi cgi_user_add os command injection

CVE-2024-10915

Description

A vulnerability was found in D-Link DNS-320, DNS-320LW, DNS-325 and DNS-340L up to 20241028. It has been rated as critical. Affected by this issue is the function cgi_user_add of the file /cgi-bin/account_mgr.cgi?cmd=cgi_user_add. The manipulation of the argument group leads to os command injection. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used.

Affected products

Dlink/DNS-320llm-fuzzy4 versions
<=20241028+ 3 more
- (no CPE)range: <=20241028
- (no CPE)range: 20241028
- (no CPE)range: 20241028
- (no CPE)range: 20241028
Dlink/DNS-340Lcpe-rescue
Range: 20241028

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

netsecfish.notion.site/Command-Injection-Vulnerability-in-group-parameter-for-D-Link-NAS-12d6b683e67c803fa1a0c0d236c9a4c5mitreexploit
vuldb.commitrethird-party-advisory
vuldb.commitresignaturepermissions-required
vuldb.commitrevdb-entrytechnical-description
www.dlink.commitreproduct

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.075
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000