| Título | D-Link DNS 320/320L/321/323/325/327L Buffer Overflow |
|---|
| Descripción | The DLINK nas DNS-320/320L/321/323/325/327L all firmware version has a command injection vulnerability in cgi_get_fullscreen_photos function of the file /cgi-bin/photocenter_mgr.cgi. The variable user is passed from a POST request and is assigned to v13 via the sprintf function at line 60. It is then passed into v10 and invoked by the system command, which leads to command execution.
|
|---|
| Fuente | ⚠️ https://github.com/BuaaIOTTeam/Iot_Dlink_NAS/blob/main/DNS_cgi_get_fullscreen_photos.md |
|---|
| Usuario | BuaaI0TTeam (UID 73421) |
|---|
| Sumisión | 2024-08-13 10:56 (hace 2 años) |
|---|
| Moderación | 2024-08-15 07:27 (2 days later) |
|---|
| Estado | Aceptado |
|---|
| Entrada de VulDB | 274730 [D-Link DNS-1550-04 hasta 20240814 photocenter_mgr.cgi cgi_get_fullscreen_photos Usuario desbordamiento de búfer] |
|---|
| Puntos | 20 |
|---|