CVE-2024-10914

CVSS V2 None CVSS V3 None

Description

A vulnerability was found in D-Link DNS-320, DNS-320LW, DNS-325 and DNS-340L up to 20241028. It has been declared as critical. Affected by this vulnerability is the function cgi_user_add of the file /cgi-bin/account_mgr.cgi?cmd=cgi_user_add. The manipulation of the argument name leads to os command injection. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used.

Overview

CVE ID
CVE-2024-10914

Assigner
VulDB

Vulnerability Status
PUBLISHED

Published Version
2024-11-06T13:31:05.242Z

Last Modified Date
2024-11-06T15:28:18.316Z

Weakness Enumerations

CWE	URL
CWE-78	http://cwe.mitre.org/data/definitions/78.html
CWE-74	http://cwe.mitre.org/data/definitions/74.html
CWE-707	http://cwe.mitre.org/data/definitions/707.html

References

Reference URL	Reference Tags
https://vuldb.com/?id.283309	vdb-entry technical-description
https://vuldb.com/?ctiid.283309	signature permissions-required
https://vuldb.com/?submit.432847	third-party-advisory
https://netsecfish.notion.site/Command-Injection-Vulnerability-in-name-parameter-for-D-Link-NAS-12d6b683e67c80c49ffcc9214c239a07?pvs=4	exploit
https://www.dlink.com/	product

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2024-10914
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-10914

History

Created	Old Value	New Value	Data Type	Notes
2024-11-07 13:14:00				Added to TrackCVE