CVE-2024-10914

CVE Database · CVE-2024-10914

CVE-2024-10914

· HIGHModified

CVSS v3.1

8.1

CVSS v4.0

9.2

EPSS

97.43%

Published

Nov 6, 2024

Modified

Nov 24, 2024

Public PoC / Exploit (2)

All weaponized →

NucleiNuclei detection template TrickestTrickest PoC index

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

A vulnerability was found in D-Link DNS-320, DNS-320LW, DNS-325 and DNS-340L up to 20241028. It has been declared as critical. Affected by this vulnerability is the function cgi_user_add of the file /cgi-bin/account_mgr.cgi?cmd=cgi_user_add. The manipulation of the argument name leads to os command injection. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used.

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Weaknesses (CWE)

CWE-74CWE-78CWE-707

Affected Products (8)

dlink · dns-320_firmwarevulnerable

dlink · dns-320

dlink · dns-320lw_firmwarevulnerable

dlink · dns-320lw

dlink · dns-325_firmwarevulnerable

dlink · dns-325

dlink · dns-340l_firmwarevulnerable