CVE-2024-8128

MEDIUM

D-Link DNS/NAS Firmware - OS Command Injection via cgi_add_zip Path Parameter

Title source: llm
STIX 2.1

Description

A vulnerability, which was classified as critical, has been found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. This issue affects the function cgi_add_zip of the file /cgi-bin/webfile_mgr.cgi of the component HTTP POST Request Handler. The manipulation of the argument path leads to command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced.

References (6)

Core 6
Core References
Third Party Advisory, VDB Entry vdb-entry technical-description
https://vuldb.com/?id.275699
Permissions Required, VDB Entry signature permissions-required
https://vuldb.com/?ctiid.275699
Third Party Advisory, VDB Entry third-party-advisory
https://vuldb.com/?submit.396237
Product product
https://www.dlink.com/

Scores

CVSS v3 6.3
EPSS 0.0307
EPSS Percentile 86.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-78 CWE-77
Status published
Products (20)
dlink/dnr-202l_firmware
dlink/dnr-322l_firmware
dlink/dnr-326_firmware
dlink/dns-1100-4_firmware
dlink/dns-1200-05_firmware
dlink/dns-120_firmware
dlink/dns-1550-04_firmware
dlink/dns-315l_firmware
dlink/dns-320_firmware
dlink/dns-320l_firmware
... and 10 more
Published Aug 24, 2024
Tracked Since Feb 18, 2026