Sign-up

ID

VAR-202405-0252


CVE

CVE-2024-4960


TITLE

D-Link DAR-7000-40 Command Execution Vulnerability

Trust: 0.6

sources: CNVD: CNVD-2025-01812

DESCRIPTION

** UNSUPPORTED WHEN ASSIGNED ** A vulnerability classified as critical has been found in D-Link DAR-7000-40 V31R02B1413C. Affected is an unknown function of the file interface/sysmanage/licenseauthorization.php. The manipulation of the argument file_upload leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-264528. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed immediately that the product is end-of-life. It should be retired and replaced. D-Link DAR-7000-40 is an Internet behavior audit gateway of D-Link, a Chinese company. D-Link DAR-7000-40 has a command execution vulnerability, which is caused by the incorrect verification of the file extension by the interface/sysmanage/license authorization.php script. Attackers can use this vulnerability to upload malicious PHP scripts and execute arbitrary PHP code on the system

Trust: 1.44

sources: NVD: CVE-2024-4960 // CNVD: CNVD-2025-01812

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2025-01812

AFFECTED PRODUCTS

vendor:d linkmodel:dar-7000-40 31r02b1413cscope: - version: -

Trust: 0.6

sources: CNVD: CNVD-2025-01812

CVSS

SEVERITY

CVSSV2

CVSSV3

cna@vuldb.com: CVE-2024-4960
value: MEDIUM

Trust: 1.0

CNVD: CNVD-2025-01812
value: MEDIUM

Trust: 0.6

cna@vuldb.com: CVE-2024-4960
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

CNVD: CNVD-2025-01812
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

cna@vuldb.com: CVE-2024-4960
baseSeverity: MEDIUM
baseScore: 6.3
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: LOW
exploitabilityScore: 2.8
impactScore: 3.4
version: 3.1

Trust: 1.0

sources: CNVD: CNVD-2025-01812 // NVD: CVE-2024-4960

PROBLEMTYPE DATA

problemtype:CWE-434

Trust: 1.0

sources: NVD: CVE-2024-4960

EXTERNAL IDS

db:NVDid:CVE-2024-4960

Trust: 1.6

db:DLINKid:SAP10354

Trust: 1.0

db:VULDBid:264528

Trust: 1.0

db:CNVDid:CNVD-2025-01812

Trust: 0.6

sources: CNVD: CNVD-2025-01812 // NVD: CVE-2024-4960

REFERENCES

url:https://github.com/h0e4a0r1t/h0e4a0r1t.github.io/blob/master/2024/%3cwhb%7cj%5cibsu0m4%3a_/d-link-dar-7000_upload_%20licenseauthorization.php.php.pdf

Trust: 1.0

url:https://supportannouncement.us.dlink.com/security/publication.aspx?name=sap10354

Trust: 1.0

url:https://vuldb.com/?ctiid.264528

Trust: 1.0

url:https://vuldb.com/?id.264528

Trust: 1.0

url:https://vuldb.com/?submit.333777

Trust: 1.0

url:https://nvd.nist.gov/vuln/detail/cve-2024-4960

Trust: 0.6

sources: CNVD: CNVD-2025-01812 // NVD: CVE-2024-4960

SOURCES

db:CNVDid:CNVD-2025-01812
db:NVDid:CVE-2024-4960

LAST UPDATE DATE

2025-01-25T22:29:30.865000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2025-01812date:2025-01-20T00:00:00
db:NVDid:CVE-2024-4960date:2024-08-01T21:15:53.753

SOURCES RELEASE DATE

db:CNVDid:CNVD-2025-01812date:2025-01-22T00:00:00
db:NVDid:CVE-2024-4960date:2024-05-16T06:15:14.650