CVE-2024-8127

MEDIUM

D-Link DNS/NAS Firmware - OS Command Injection via cgi_unzip Path Parameter

Title source: llm
STIX 2.1

Description

A vulnerability classified as critical was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. This vulnerability affects the function cgi_unzip of the file /cgi-bin/webfile_mgr.cgi of the component HTTP POST Request Handler. The manipulation of the argument path leads to command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced.

References (6)

Core 6
Core References
Product product
https://www.dlink.com/
Permissions Required, VDB Entry vdb-entry technical-description
https://vuldb.com/?id.275698
Permissions Required, VDB Entry signature permissions-required
https://vuldb.com/?ctiid.275698
Third Party Advisory, VDB Entry third-party-advisory
https://vuldb.com/?submit.396236

Scores

CVSS v3 6.3
EPSS 0.0238
EPSS Percentile 85.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-78 CWE-77
Status published
Products (20)
dlink/dnr-202l_firmware
dlink/dnr-322l_firmware
dlink/dnr-326_firmware
dlink/dns-1100-4_firmware
dlink/dns-1200-05_firmware
dlink/dns-120_firmware
dlink/dns-1550-04_firmware
dlink/dns-315l_firmware
dlink/dns-320_firmware
dlink/dns-320l_firmware
... and 10 more
Published Aug 24, 2024
Tracked Since Feb 18, 2026