We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Zendesk (Helpdesk and Chat)
Bugpilot (Bug tracking)

Ok

THREATINT CVE Home CVE Diag Help
PUBLISHED

CVE-2024-3273

D-Link DNS-320L/DNS-325/DNS-327L/DNS-340L HTTP GET Request nas_sharing.cgi command injection

Reserved:2024-04-03
Published:2024-04-04
Updated:2024-04-11

Description

EN DE

** UNSUPPORTED WHEN ASSIGNED ** A vulnerability, which was classified as critical, was found in D-Link DNS-320L, DNS-325, DNS-327L and DNS-340L up to 20240403. Affected is an unknown function of the file /cgi-bin/nas_sharing.cgi of the component HTTP GET Request Handler. The manipulation of the argument system leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-259284. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed immediately that the product is end-of-life. It should be retired and replaced.

Es wurde eine Schwachstelle in D-Link DNS-320L, DNS-325, DNS-327L and DNS-340L bis 20240403 gefunden. Sie wurde als kritisch eingestuft. Betroffen hiervon ist ein unbekannter Ablauf der Datei /cgi-bin/nas_sharing.cgi der Komponente HTTP GET Request Handler. Durch die Manipulation des Arguments system mit unbekannten Daten kann eine command injection-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff über das Netzwerk. Der Exploit steht zur öffentlichen Verfügung.



HIGH: 7.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
HIGH: 7.3CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
7.5AV:N/AC:L/Au:N/C:P/I:P/A:P (CVSS 2.0)

Problem types

CWE-77 Command Injection

Product status

20240403
affected

20240403
affected

20240403
affected

20240403
affected

Timeline

2024-04-03:Advisory disclosed
2024-04-03:VulDB entry created
2024-04-11:VulDB entry last update

Credits

netsecfish finder

netsecfish (VulDB User) reporter

References

https://vuldb.com/?id.259284 (VDB-259284 | D-Link DNS-320L/DNS-325/DNS-327L/DNS-340L HTTP GET Request nas_sharing.cgi command injection) vdb-entry technical-description

https://vuldb.com/?ctiid.259284 (VDB-259284 | CTI Indicators (IOB, IOC, TTP, IOA)) signature permissions-required

https://vuldb.com/?submit.304661 (Submit #304661 | D-LINK DNS-340L, DNS-320L, DNS-327L, DNS-325 Version 1.11, Version 1.00.0409.2013, Version 1.09, Version 1.08, Version 1.03.0904.2013, Version 1.01 Command Injection, Backdoor Account) third-party-advisory

https://github.com/netsecfish/dlink exploit

https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383 related

cve.org CVE-2024-3273

nvd.nist.gov CVE-2024-3273

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2024-3273