A vulnerability, which was classified as critical, was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. Affected is the function cgi_s3_modify of the file /cgi-bin/s3.cgi of the component HTTP POST Request Handler. The manipulation of the argument f_job_name leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced.
References
Link | Resource |
---|---|
https://github.com/BuaaIOTTeam/Iot_Dlink_NAS/blob/main/DNS_cgi_s3_modify.md | Exploit Third Party Advisory |
https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383 | Vendor Advisory |
https://vuldb.com/?ctiid.275700 | Permissions Required VDB Entry |
https://vuldb.com/?id.275700 | Third Party Advisory VDB Entry |
https://vuldb.com/?submit.396290 | Third Party Advisory VDB Entry |
https://www.dlink.com/ | Product |
Configurations
Configuration 1 (hide)
AND |
|
Configuration 2 (hide)
AND |
|
Configuration 3 (hide)
AND |
|
Configuration 4 (hide)
AND |
|
Configuration 5 (hide)
AND |
|
Configuration 6 (hide)
AND |
|
Configuration 7 (hide)
AND |
|
Configuration 8 (hide)
AND |
|
Configuration 9 (hide)
AND |
|
Configuration 10 (hide)
AND |
|
Configuration 11 (hide)
AND |
|
Configuration 12 (hide)
AND |
|
Configuration 13 (hide)
AND |
|
Configuration 14 (hide)
AND |
|
Configuration 15 (hide)
AND |
|
Configuration 16 (hide)
AND |
|
Configuration 17 (hide)
AND |
|
Configuration 18 (hide)
AND |
|
Configuration 19 (hide)
AND |
|
Configuration 20 (hide)
AND |
|
History
27 Aug 2024, 15:33
Type | Values Removed | Values Added |
---|---|---|
References | () https://github.com/BuaaIOTTeam/Iot_Dlink_NAS/blob/main/DNS_cgi_s3_modify.md - Exploit, Third Party Advisory | |
References | () https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383 - Vendor Advisory | |
References | () https://vuldb.com/?ctiid.275700 - Permissions Required, VDB Entry | |
References | () https://vuldb.com/?id.275700 - Third Party Advisory, VDB Entry | |
References | () https://vuldb.com/?submit.396290 - Third Party Advisory, VDB Entry | |
References | () https://www.dlink.com/ - Product | |
First Time |
Dlink dnr-202l Firmware
Dlink dns-326 Firmware Dlink dns-326 Dlink dns-726-4 Firmware Dlink dns-320lw Firmware Dlink dns-345 Firmware Dlink dns-321 Firmware Dlink dns-343 Firmware Dlink Dlink dns-315l Dlink dns-325 Firmware Dlink dns-1200-05 Dlink dns-340l Firmware Dlink dns-1100-4 Firmware Dlink dns-323 Firmware Dlink dns-325 Dlink dns-726-4 Dlink dns-1550-04 Dlink dns-320 Dlink dns-321 Dlink dns-345 Dlink dnr-322l Dlink dns-120 Dlink dns-315l Firmware Dlink dns-320 Firmware Dlink dns-320lw Dlink dns-320l Firmware Dlink dns-327l Dlink dns-120 Firmware Dlink dns-323 Dlink dns-320l Dlink dns-1550-04 Firmware Dlink dns-1200-05 Firmware Dlink dns-327l Firmware Dlink dnr-326 Firmware Dlink dnr-322l Firmware Dlink dns-1100-4 Dlink dns-343 Dlink dnr-326 Dlink dns-340l Dlink dnr-202l |
|
CVSS |
v2 : v3 : |
v2 : 6.5
v3 : 9.8 |
CPE | cpe:2.3:o:dlink:dns-1550-04_firmware:-:*:*:*:*:*:*:* cpe:2.3:h:dlink:dns-1200-05:-:*:*:*:*:*:*:* cpe:2.3:h:dlink:dns-327l:-:*:*:*:*:*:*:* cpe:2.3:h:dlink:dns-1100-4:-:*:*:*:*:*:*:* cpe:2.3:o:dlink:dns-325_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:dlink:dns-321_firmware:-:*:*:*:*:*:*:* cpe:2.3:h:dlink:dns-120:-:*:*:*:*:*:*:* cpe:2.3:h:dlink:dns-343:-:*:*:*:*:*:*:* cpe:2.3:o:dlink:dns-1200-05_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:dlink:dns-343_firmware:-:*:*:*:*:*:*:* cpe:2.3:h:dlink:dns-340l:-:*:*:*:*:*:*:* cpe:2.3:o:dlink:dns-320l_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:dlink:dns-340l_firmware:-:*:*:*:*:*:*:* cpe:2.3:h:dlink:dnr-202l:-:*:*:*:*:*:*:* cpe:2.3:o:dlink:dns-326_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:dlink:dns-327l_firmware:-:*:*:*:*:*:*:* cpe:2.3:h:dlink:dns-323:-:*:*:*:*:*:*:* cpe:2.3:h:dlink:dns-321:-:*:*:*:*:*:*:* cpe:2.3:o:dlink:dns-120_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:dlink:dns-315l_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:dlink:dns-323_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:dlink:dns-345_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:dlink:dnr-202l_firmware:-:*:*:*:*:*:*:* cpe:2.3:h:dlink:dns-320:-:*:*:*:*:*:*:* cpe:2.3:h:dlink:dns-345:-:*:*:*:*:*:*:* cpe:2.3:h:dlink:dnr-326:-:*:*:*:*:*:*:* cpe:2.3:h:dlink:dnr-322l:-:*:*:*:*:*:*:* cpe:2.3:h:dlink:dns-320l:-:*:*:*:*:*:*:* cpe:2.3:o:dlink:dns-726-4_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:dlink:dns-1100-4_firmware:-:*:*:*:*:*:*:* cpe:2.3:h:dlink:dns-325:-:*:*:*:*:*:*:* cpe:2.3:o:dlink:dns-320_firmware:-:*:*:*:*:*:*:* cpe:2.3:h:dlink:dns-320lw:-:*:*:*:*:*:*:* cpe:2.3:o:dlink:dns-320lw_firmware:-:*:*:*:*:*:*:* cpe:2.3:h:dlink:dns-326:-:*:*:*:*:*:*:* cpe:2.3:h:dlink:dns-1550-04:-:*:*:*:*:*:*:* cpe:2.3:o:dlink:dnr-322l_firmware:-:*:*:*:*:*:*:* cpe:2.3:h:dlink:dns-315l:-:*:*:*:*:*:*:* cpe:2.3:h:dlink:dns-726-4:-:*:*:*:*:*:*:* cpe:2.3:o:dlink:dnr-326_firmware:-:*:*:*:*:*:*:* |
|
CWE | CWE-78 |
26 Aug 2024, 12:47
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
24 Aug 2024, 16:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-08-24 16:15
Updated : 2024-08-27 15:33
NVD link : CVE-2024-8129
Mitre link : CVE-2024-8129
CVE.ORG link : CVE-2024-8129
JSON object : View
Products Affected
dlink
- dns-1100-4
- dns-345
- dns-340l
- dns-320
- dns-323
- dns-325_firmware
- dns-315l_firmware
- dns-120
- dnr-326_firmware
- dns-340l_firmware
- dns-1200-05_firmware
- dns-323_firmware
- dnr-322l
- dns-1200-05
- dns-325
- dns-320lw
- dns-343
- dns-326
- dns-1550-04_firmware
- dns-345_firmware
- dns-321_firmware
- dns-1550-04
- dns-320l_firmware
- dns-315l
- dnr-202l
- dns-327l_firmware
- dnr-202l_firmware
- dns-1100-4_firmware
- dns-343_firmware
- dnr-322l_firmware
- dns-726-4_firmware
- dns-321
- dns-320lw_firmware
- dns-326_firmware
- dnr-326
- dns-120_firmware
- dns-726-4
- dns-320l
- dns-320_firmware
- dns-327l