Sign-up

ID

VAR-202411-0368


CVE

CVE-2024-10915


TITLE

plural  D-Link Systems, Inc.  In the product  OS  Command injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2024-012288

DESCRIPTION

A vulnerability was found in D-Link DNS-320, DNS-320LW, DNS-325 and DNS-340L up to 20241028. It has been rated as critical. Affected by this issue is the function cgi_user_add of the file /cgi-bin/account_mgr.cgi?cmd=cgi_user_add. The manipulation of the argument group leads to os command injection. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. D-Link DNS-320 firmware, D-Link DNS-320LW firmware, D-Link DNS-325 firmware etc. D-Link Systems, Inc. The product has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

Trust: 1.62

sources: NVD: CVE-2024-10915 // JVNDB: JVNDB-2024-012288

AFFECTED PRODUCTS

vendor:dlinkmodel:dns-320lwscope:eqversion:*

Trust: 1.0

vendor:dlinkmodel:dns-340lscope:eqversion:*

Trust: 1.0

vendor:dlinkmodel:dns-320scope:eqversion:*

Trust: 1.0

vendor:dlinkmodel:dns-325scope:eqversion:*

Trust: 1.0

vendor:d linkmodel:d-link dns-320scope: - version: -

Trust: 0.8

vendor:d linkmodel:d-link dns-320lwscope: - version: -

Trust: 0.8

vendor:d linkmodel:d-link dns-325scope: - version: -

Trust: 0.8

vendor:d linkmodel:dns-340lscope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2024-012288 // NVD: CVE-2024-10915

CVSS

SEVERITY

CVSSV2

CVSSV3

cna@vuldb.com: CVE-2024-10915
value: CRITICAL

Trust: 1.0

nvd@nist.gov: CVE-2024-10915
value: CRITICAL

Trust: 1.0

OTHER: JVNDB-2024-012288
value: CRITICAL

Trust: 0.8

cna@vuldb.com: CVE-2024-10915
severity: HIGH
baseScore: 7.6
vectorString: AV:N/AC:H/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: HIGH
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 4.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

OTHER: JVNDB-2024-012288
severity: HIGH
baseScore: 7.6
vectorString: AV:N/AC:H/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: HIGH
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

cna@vuldb.com: CVE-2024-10915
baseSeverity: HIGH
baseScore: 8.1
vectorString: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.2
impactScore: 5.9
version: 3.1

Trust: 1.0

nvd@nist.gov: CVE-2024-10915
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: JVNDB-2024-012288
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: JVNDB: JVNDB-2024-012288 // NVD: CVE-2024-10915 // NVD: CVE-2024-10915

PROBLEMTYPE DATA

problemtype:CWE-78

Trust: 1.0

problemtype:CWE-74

Trust: 1.0

problemtype:CWE-707

Trust: 1.0

problemtype:Improper sanitization (CWE-707) [ others ]

Trust: 0.8

problemtype: injection (CWE-74) [ others ]

Trust: 0.8

problemtype:OS Command injection (CWE-78) [NVD evaluation ]

Trust: 0.8

problemtype:OS Command injection (CWE-78) [ others ]

Trust: 0.8

sources: JVNDB: JVNDB-2024-012288 // NVD: CVE-2024-10915

EXTERNAL IDS

db:NVDid:CVE-2024-10915

Trust: 2.6

db:VULDBid:283310

Trust: 1.8

db:JVNDBid:JVNDB-2024-012288

Trust: 0.8

sources: JVNDB: JVNDB-2024-012288 // NVD: CVE-2024-10915

REFERENCES

url:https://netsecfish.notion.site/command-injection-vulnerability-in-group-parameter-for-d-link-nas-12d6b683e67c803fa1a0c0d236c9a4c5?pvs=4

Trust: 1.8

url:https://vuldb.com/?ctiid.283310

Trust: 1.8

url:https://vuldb.com/?id.283310

Trust: 1.8

url:https://vuldb.com/?submit.432848

Trust: 1.8

url:https://www.dlink.com/

Trust: 1.8

url:https://nvd.nist.gov/vuln/detail/cve-2024-10915

Trust: 0.8

sources: JVNDB: JVNDB-2024-012288 // NVD: CVE-2024-10915

SOURCES

db:JVNDBid:JVNDB-2024-012288
db:NVDid:CVE-2024-10915

LAST UPDATE DATE

2024-11-12T23:29:43.037000+00:00


SOURCES UPDATE DATE

db:JVNDBid:JVNDB-2024-012288date:2024-11-11T02:51:00
db:NVDid:CVE-2024-10915date:2024-11-08T20:11:10.973

SOURCES RELEASE DATE

db:JVNDBid:JVNDB-2024-012288date:2024-11-11T00:00:00
db:NVDid:CVE-2024-10915date:2024-11-06T14:15:05.783