| Title | D-Link DNS-320, DNS-320LW, DNS-325, DNS-340L Version 1.00, Version 1.01.0914.2012, Version 1.01, Version 1.02, Version 1.08 Command Injection |
|---|
| Description | A command injection vulnerability has been identified in the `account_mgr.cgi` URI of certain D-Link NAS devices. Specifically, the vulnerability exists in the handling of the `name` parameter used within the CGI script `cgi_user_add` command. This flaw allows an unauthenticated attacker to inject arbitrary shell commands through crafted HTTP GET requests, affecting over 61,000 devices on the Internet. |
|---|
| Source | ⚠️ https://netsecfish.notion.site/Command-Injection-Vulnerability-in-name-parameter-for-D-Link-NAS-12d6b683e67c80c49ffcc9214c239a07?pvs=4 |
|---|
| User | netsecfish (UID 64568) |
|---|
| Submission | 10/28/2024 14:23 (2 years ago) |
|---|
| Moderation | 11/06/2024 08:08 (9 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 283309 [D-Link DNS-320/DNS-320LW/DNS-325/DNS-340L up to 20241028 account_mgr.cgi?cmd=cgi_user_add Name os command injection] |
|---|
| Points | 17 |
|---|