Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2024-8129

Опубликовано: 24 авг. 2024
Источник: nvd
CVSS3: 6.3
CVSS3: 9.8
CVSS2: 6.5
EPSS Средний

Описание

A vulnerability, which was classified as critical, was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. Affected is the function cgi_s3_modify of the file /cgi-bin/s3.cgi of the component HTTP POST Request Handler. The manipulation of the argument f_job_name leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced.

Ссылки

Уязвимые конфигурации

Конфигурация 1

Одновременно

cpe:2.3:o:dlink:dns-1550-04_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-1550-04:-:*:*:*:*:*:*:*
Конфигурация 2

Одновременно

cpe:2.3:o:dlink:dns-1200-05_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-1200-05:-:*:*:*:*:*:*:*
Конфигурация 3

Одновременно

cpe:2.3:o:dlink:dns-1100-4_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-1100-4:-:*:*:*:*:*:*:*
Конфигурация 4

Одновременно

cpe:2.3:o:dlink:dns-726-4_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-726-4:-:*:*:*:*:*:*:*
Конфигурация 5

Одновременно

cpe:2.3:o:dlink:dns-345_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-345:-:*:*:*:*:*:*:*
Конфигурация 6

Одновременно

cpe:2.3:o:dlink:dns-343_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-343:-:*:*:*:*:*:*:*
Конфигурация 7

Одновременно

cpe:2.3:o:dlink:dns-340l_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-340l:-:*:*:*:*:*:*:*
Конфигурация 8

Одновременно

cpe:2.3:o:dlink:dnr-326_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dnr-326:-:*:*:*:*:*:*:*
Конфигурация 9

Одновременно

cpe:2.3:o:dlink:dns-327l_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-327l:-:*:*:*:*:*:*:*
Конфигурация 10

Одновременно

cpe:2.3:o:dlink:dns-326_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-326:-:*:*:*:*:*:*:*
Конфигурация 11

Одновременно

cpe:2.3:o:dlink:dns-325_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-325:-:*:*:*:*:*:*:*
Конфигурация 12

Одновременно

cpe:2.3:o:dlink:dns-323_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-323:-:*:*:*:*:*:*:*
Конфигурация 13

Одновременно

cpe:2.3:o:dlink:dnr-322l_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dnr-322l:-:*:*:*:*:*:*:*
Конфигурация 14

Одновременно

cpe:2.3:o:dlink:dns-321_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-321:-:*:*:*:*:*:*:*
Конфигурация 15

Одновременно

cpe:2.3:o:dlink:dns-320lw_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-320lw:-:*:*:*:*:*:*:*
Конфигурация 16

Одновременно

cpe:2.3:o:dlink:dns-320l_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-320l:-:*:*:*:*:*:*:*
Конфигурация 17

Одновременно

cpe:2.3:o:dlink:dns-320_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-320:-:*:*:*:*:*:*:*
Конфигурация 18

Одновременно

cpe:2.3:o:dlink:dns-315l_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-315l:-:*:*:*:*:*:*:*
Конфигурация 19

Одновременно

cpe:2.3:o:dlink:dnr-202l_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dnr-202l:-:*:*:*:*:*:*:*
Конфигурация 20

Одновременно

cpe:2.3:o:dlink:dns-120_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-120:-:*:*:*:*:*:*:*

EPSS

Процентиль: 95%
0.16751
Средний

6.3 Medium

CVSS3

9.8 Critical

CVSS3

6.5 Medium

CVSS2

Дефекты

CWE-77
CWE-78

Связанные уязвимости

github логотип

GHSA-hg7f-mj9p-7743

CVSS3: 6.3
github
больше 1 года назад

A vulnerability, which was classified as critical, was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. Affected is the function cgi_s3_modify of the file /cgi-bin/s3.cgi of the component HTTP POST Request Handler. The manipulation of the argument f_job_name leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced.

EPSS

Процентиль: 95%
0.16751
Средний

6.3 Medium

CVSS3

9.8 Critical

CVSS3

6.5 Medium

CVSS2

Дефекты

CWE-77
CWE-78