9.8

CVE-2024-3273

Warnung
Exploit

** UNSUPPORTED WHEN ASSIGNED ** A vulnerability, which was classified as critical, was found in D-Link DNS-320L, DNS-325, DNS-327L and DNS-340L up to 20240403. Affected is an unknown function of the file /cgi-bin/nas_sharing.cgi of the component HTTP GET Request Handler. The manipulation of the argument system leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-259284. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed immediately that the product is end-of-life. It should be retired and replaced.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)
DlinkDns-320l Firmware Version1.01.0702.2013
   DlinkDns-320l Version-
DlinkDns-320l Firmware Version1.03.0904.2013
   DlinkDns-320l Version-
DlinkDns-320l Firmware Version1.11
   DlinkDns-320l Version-
DlinkDns-120 Firmware Version-
   DlinkDns-120 Version-
DlinkDnr-202l Firmware Version-
   DlinkDnr-202l Version-
DlinkDns-315l Firmware Version-
   DlinkDns-315l Version-
DlinkDns-320 Firmware Version-
   DlinkDns-320 Version-
DlinkDns-320lw Firmware Version-
   DlinkDns-320lw Version-
DlinkDns-321 Firmware Version-
   DlinkDns-321 Version-
DlinkDnr-322l Firmware Version-
   DlinkDnr-322l Version-
DlinkDns-323 Firmware Version-
   DlinkDns-323 Version-
DlinkDns-325 Firmware Version1.01
   DlinkDns-325 Version-
DlinkDns-326 Firmware Version-
   DlinkDns-326 Version-
DlinkDns-327l Firmware Version1.00.0409.2013
   DlinkDns-327l Version-
DlinkDns-327l Firmware Version1.09
   DlinkDns-327l Version-
DlinkDnr-326 Firmware Version-
   DlinkDnr-326 Version-
DlinkDns-340l Firmware Version1.08
   DlinkDns-340l Version-
DlinkDns-343 Firmware Version-
   DlinkDns-343 Version-
DlinkDns-345 Firmware Version-
   DlinkDns-345 Version-
DlinkDns-726-4 Firmware Version-
   DlinkDns-726-4 Version-
DlinkDns-1100-4 Firmware Version-
   DlinkDns-1100-4 Version-
DlinkDns-1200-05 Firmware Version-
   DlinkDns-1200-05 Version-
DlinkDns-1550-04 Firmware Version-
   DlinkDns-1550-04 Version-

11.04.2024: CISA Known Exploited Vulnerabilities (KEV) Catalog

D-Link Multiple NAS Devices Command Injection Vulnerability

Schwachstelle

D-Link DNS-320L, DNS-325, DNS-327L, and DNS-340L contain a command injection vulnerability. When combined with CVE-2024-3272, this can lead to remote, unauthorized code execution.

Beschreibung

This vulnerability affects legacy D-Link products. All associated hardware revisions have reached their end-of-life (EOL) or end-of-service (EOS) life cycle and should be retired and replaced per vendor instructions.

Erforderliche Maßnahmen
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 94.43% 1
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cna@vuldb.com 7.3 3.9 3.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
cna@vuldb.com 7.5 10 6.4
AV:N/AC:L/Au:N/C:P/I:P/A:P
CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

https://github.com/netsecfish/dlink
Third Party Advisory
Exploit
https://vuldb.com/?ctiid.259284
VDB Entry
Permissions Required
https://vuldb.com/?id.259284
Third Party Advisory
VDB Entry
https://vuldb.com/?submit.304661
Third Party Advisory
VDB Entry