Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2024-8127

Опубликовано: 24 авг. 2024
Источник: nvd
CVSS3: 6.3
CVSS3: 9.8
CVSS2: 6.5
EPSS Низкий

Описание

A vulnerability classified as critical was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. This vulnerability affects the function cgi_unzip of the file /cgi-bin/webfile_mgr.cgi of the component HTTP POST Request Handler. The manipulation of the argument path leads to command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced.

Ссылки

Уязвимые конфигурации

Конфигурация 1

Одновременно

cpe:2.3:o:dlink:dns-1550-04_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-1550-04:-:*:*:*:*:*:*:*
Конфигурация 2

Одновременно

cpe:2.3:o:dlink:dns-1200-05_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-1200-05:-:*:*:*:*:*:*:*
Конфигурация 3

Одновременно

cpe:2.3:o:dlink:dns-1100-4_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-1100-4:-:*:*:*:*:*:*:*
Конфигурация 4

Одновременно

cpe:2.3:o:dlink:dns-726-4_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-726-4:-:*:*:*:*:*:*:*
Конфигурация 5

Одновременно

cpe:2.3:o:dlink:dns-345_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-345:-:*:*:*:*:*:*:*
Конфигурация 6

Одновременно

cpe:2.3:o:dlink:dns-343_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-343:-:*:*:*:*:*:*:*
Конфигурация 7

Одновременно

cpe:2.3:o:dlink:dns-340l_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-340l:-:*:*:*:*:*:*:*
Конфигурация 8

Одновременно

cpe:2.3:o:dlink:dnr-326_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dnr-326:-:*:*:*:*:*:*:*
Конфигурация 9

Одновременно

cpe:2.3:o:dlink:dns-327l_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-327l:-:*:*:*:*:*:*:*
Конфигурация 10

Одновременно

cpe:2.3:o:dlink:dns-326_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-326:-:*:*:*:*:*:*:*
Конфигурация 11

Одновременно

cpe:2.3:o:dlink:dns-325_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-325:-:*:*:*:*:*:*:*
Конфигурация 12

Одновременно

cpe:2.3:o:dlink:dns-323_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-323:-:*:*:*:*:*:*:*
Конфигурация 13

Одновременно

cpe:2.3:o:dlink:dnr-322l_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dnr-322l:-:*:*:*:*:*:*:*
Конфигурация 14

Одновременно

cpe:2.3:o:dlink:dns-321_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-321:-:*:*:*:*:*:*:*
Конфигурация 15

Одновременно

cpe:2.3:o:dlink:dns-320lw_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-320lw:-:*:*:*:*:*:*:*
Конфигурация 16

Одновременно

cpe:2.3:o:dlink:dns-320l_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-320l:-:*:*:*:*:*:*:*
Конфигурация 17

Одновременно

cpe:2.3:o:dlink:dns-320_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-320:-:*:*:*:*:*:*:*
Конфигурация 18

Одновременно

cpe:2.3:o:dlink:dns-315l_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-315l:-:*:*:*:*:*:*:*
Конфигурация 19

Одновременно

cpe:2.3:o:dlink:dnr-202l_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dnr-202l:-:*:*:*:*:*:*:*
Конфигурация 20

Одновременно

cpe:2.3:o:dlink:dns-120_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-120:-:*:*:*:*:*:*:*

EPSS

Процентиль: 85%
0.02376
Низкий

6.3 Medium

CVSS3

9.8 Critical

CVSS3

6.5 Medium

CVSS2

Дефекты

CWE-77
CWE-78

Связанные уязвимости

github логотип

GHSA-7vp8-wwfv-6g24

CVSS3: 6.3
github
больше 1 года назад

A vulnerability classified as critical was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. This vulnerability affects the function cgi_unzip of the file /cgi-bin/webfile_mgr.cgi of the component HTTP POST Request Handler. The manipulation of the argument path leads to command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced.

EPSS

Процентиль: 85%
0.02376
Низкий

6.3 Medium

CVSS3

9.8 Critical

CVSS3

6.5 Medium

CVSS2

Дефекты

CWE-77
CWE-78