| Titolo | D-Link DNS-320, DNS-320LW, DNS-325, DNS-340L Version 1.00, Version 1.01.0914.2012, Version 1.01, Version 1.02, Version 1.08 Command Injection |
|---|
| Descrizione | A command injection vulnerability has been identified in the `account_mgr.cgi` URI of certain D-Link NAS devices. Specifically, the vulnerability exists in the handling of the `name` parameter used within the CGI script `cgi_user_add` command. This flaw allows an unauthenticated attacker to inject arbitrary shell commands through crafted HTTP GET requests, affecting over 61,000 devices on the Internet. |
|---|
| Fonte | ⚠️ https://netsecfish.notion.site/Command-Injection-Vulnerability-in-name-parameter-for-D-Link-NAS-12d6b683e67c80c49ffcc9214c239a07?pvs=4 |
|---|
| Utente | netsecfish (UID 64568) |
|---|
| Sottomissione | 28/10/2024 14:23 (2 anni fa) |
|---|
| Moderazione | 06/11/2024 08:08 (9 days later) |
|---|
| Stato | Accettato |
|---|
| Voce VulDB | 283309 [D-Link DNS-320/DNS-320LW/DNS-325/DNS-340L fino a 20241028 account_mgr.cgi?cmd=cgi_user_add Nome escalationi di privilegi] |
|---|
| Punti | 17 |
|---|