Sign-up

ID

VAR-202411-0293


CVE

CVE-2024-10914


TITLE

plural  D-Link Systems, Inc.  Improper sanitization vulnerability in the product

Trust: 0.8

sources: JVNDB: JVNDB-2024-012303

DESCRIPTION

A vulnerability was found in D-Link DNS-320, DNS-320LW, DNS-325 and DNS-340L up to 20241028. It has been declared as critical. Affected by this vulnerability is the function cgi_user_add of the file /cgi-bin/account_mgr.cgi?cmd=cgi_user_add. The manipulation of the argument name leads to os command injection. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. D-Link DNS-320 firmware, D-Link DNS-320LW firmware, D-Link DNS-325 firmware etc. D-Link Systems, Inc. The product contains vulnerabilities related to improper sanitization, injection, OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

Trust: 1.62

sources: NVD: CVE-2024-10914 // JVNDB: JVNDB-2024-012303

AFFECTED PRODUCTS

vendor:dlinkmodel:dns-325scope:eqversion:*

Trust: 1.0

vendor:dlinkmodel:dns-320scope:eqversion:*

Trust: 1.0

vendor:dlinkmodel:dns-320lwscope:eqversion:*

Trust: 1.0

vendor:dlinkmodel:dns-340lscope:eqversion:*

Trust: 1.0

vendor:d linkmodel:d-link dns-320scope: - version: -

Trust: 0.8

vendor:d linkmodel:d-link dns-320lwscope: - version: -

Trust: 0.8

vendor:d linkmodel:d-link dns-325scope: - version: -

Trust: 0.8

vendor:d linkmodel:dns-340lscope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2024-012303 // NVD: CVE-2024-10914

CVSS

SEVERITY

CVSSV2

CVSSV3

cna@vuldb.com: CVE-2024-10914
value: CRITICAL

Trust: 1.0

nvd@nist.gov: CVE-2024-10914
value: CRITICAL

Trust: 1.0

OTHER: JVNDB-2024-012303
value: CRITICAL

Trust: 0.8

cna@vuldb.com: CVE-2024-10914
severity: HIGH
baseScore: 7.6
vectorString: AV:N/AC:H/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: HIGH
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 4.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

OTHER: JVNDB-2024-012303
severity: HIGH
baseScore: 7.6
vectorString: AV:N/AC:H/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: HIGH
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

cna@vuldb.com: CVE-2024-10914
baseSeverity: HIGH
baseScore: 8.1
vectorString: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.2
impactScore: 5.9
version: 3.1

Trust: 1.0

nvd@nist.gov: CVE-2024-10914
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: JVNDB-2024-012303
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: JVNDB: JVNDB-2024-012303 // NVD: CVE-2024-10914 // NVD: CVE-2024-10914

PROBLEMTYPE DATA

problemtype:CWE-707

Trust: 1.0

problemtype:CWE-78

Trust: 1.0

problemtype:CWE-74

Trust: 1.0

problemtype:Improper sanitization (CWE-707) [ others ]

Trust: 0.8

problemtype: injection (CWE-74) [ others ]

Trust: 0.8

problemtype:OS Command injection (CWE-78) [ others ]

Trust: 0.8

sources: JVNDB: JVNDB-2024-012303 // NVD: CVE-2024-10914

EXTERNAL IDS

db:NVDid:CVE-2024-10914

Trust: 2.6

db:VULDBid:283309

Trust: 1.0

db:JVNDBid:JVNDB-2024-012303

Trust: 0.8

sources: JVNDB: JVNDB-2024-012303 // NVD: CVE-2024-10914

REFERENCES

url:https://netsecfish.notion.site/command-injection-vulnerability-in-name-parameter-for-d-link-nas-12d6b683e67c80c49ffcc9214c239a07?pvs=4

Trust: 1.8

url:https://vuldb.com/?submit.432847

Trust: 1.8

url:https://www.dlink.com/

Trust: 1.8

url:https://vuldb.com/?ctiid.283309

Trust: 1.0

url:https://www.bleepingcomputer.com/news/security/d-link-wont-fix-critical-flaw-affecting-60-000-older-nas-devices/

Trust: 1.0

url:https://vuldb.com/?id.283309

Trust: 1.0

url:https://nvd.nist.gov/vuln/detail/cve-2024-10914

Trust: 0.8

sources: JVNDB: JVNDB-2024-012303 // NVD: CVE-2024-10914

SOURCES

db:JVNDBid:JVNDB-2024-012303
db:NVDid:CVE-2024-10914

LAST UPDATE DATE

2024-11-25T23:32:54.827000+00:00


SOURCES UPDATE DATE

db:JVNDBid:JVNDB-2024-012303date:2024-11-11T03:18:00
db:NVDid:CVE-2024-10914date:2024-11-24T15:15:06.090

SOURCES RELEASE DATE

db:JVNDBid:JVNDB-2024-012303date:2024-11-11T00:00:00
db:NVDid:CVE-2024-10914date:2024-11-06T14:15:05.310