| Titel | D-Link DNS-320, DNS-320LW, DNS-325, DNS-340L Version 1.00, Version 1.01.0914.2012, Version 1.01, Version 1.02, Version 1.08 OS Command Injection |
|---|
| Beschreibung | A command injection vulnerability has been identified in the `account_mgr.cgi` URI of certain D-Link NAS devices. Specifically, the vulnerability exists in the handling of the `group` parameter used within the CGI script `cgi_user_add` command. This flaw allows an unauthenticated attacker to inject arbitrary shell commands through crafted HTTP GET requests, affecting over 61,000 devices on the Internet. |
|---|
| Quelle | ⚠️ https://netsecfish.notion.site/Command-Injection-Vulnerability-in-group-parameter-for-D-Link-NAS-12d6b683e67c803fa1a0c0d236c9a4c5?pvs=4 |
|---|
| Benutzer | netsecfish (UID 64568) |
|---|
| Einreichung | 28.10.2024 14:25 (vor 2 Jahren) |
|---|
| Moderieren | 06.11.2024 08:08 (9 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 283310 [D-Link DNS-320/DNS-320LW/DNS-325/DNS-340L bis 20241028 account_mgr.cgi?cmd=cgi_user_add group erweiterte Rechte] |
|---|
| Punkte | 17 |
|---|