Invia #432848: D-Link DNS-320, DNS-320LW, DNS-325, DNS-340L Version 1.00, Version 1.01.0914.2012, Version 1.01, Version 1.02, Version 1.08 OS Command Injectioninformazioni

TitoloD-Link DNS-320, DNS-320LW, DNS-325, DNS-340L Version 1.00, Version 1.01.0914.2012, Version 1.01, Version 1.02, Version 1.08 OS Command Injection
DescrizioneA command injection vulnerability has been identified in the `account_mgr.cgi` URI of certain D-Link NAS devices. Specifically, the vulnerability exists in the handling of the `group` parameter used within the CGI script `cgi_user_add` command. This flaw allows an unauthenticated attacker to inject arbitrary shell commands through crafted HTTP GET requests, affecting over 61,000 devices on the Internet.
Fonte⚠️ https://netsecfish.notion.site/Command-Injection-Vulnerability-in-group-parameter-for-D-Link-NAS-12d6b683e67c803fa1a0c0d236c9a4c5?pvs=4
Utente
 netsecfish (UID 64568)
Sottomissione28/10/2024 14:25 (2 anni fa)
Moderazione06/11/2024 08:08 (9 days later)
StatoAccettato
Voce VulDB283310 [D-Link DNS-320/DNS-320LW/DNS-325/DNS-340L fino a 20241028 account_mgr.cgi?cmd=cgi_user_add group escalationi di privilegi]
Punti17

PrecedenteVisione D'ensembleIl prossimo

Want to stay up to date on a daily basis?

Enable the mail alert feature now!