CVSS: 6.5EPSS: 1%CPEs: 19EXPL: 1CVE-2024-7357 – D-Link DIR-600 soap.cgi soapcgi_main os command injection
https://notcve.org/view.php?id=CVE-2024-7357
01 Aug 2024 — A vulnerability was found in D-Link DIR-600 up to 2.18. It has been rated as critical. This issue affects the function soapcgi_main of the file /soap.cgi. The manipulation of the argument service leads to os command injection. The attack may be initiated remotely. • https://vuldb.com/?id.273329 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2024-38438 – D-Link - CWE-294: Authentication Bypass by Capture-replay
https://notcve.org/view.php?id=CVE-2024-38438
21 Jul 2024 — D-Link - CWE-294: Authentication Bypass by Capture-replay D-Link - CWE-294: Omisión de autenticación mediante Capture-replay • https://www.gov.il/en/Departments/faq/cve_advisories • CWE-294: Authentication Bypass by Capture-replay •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-36755
https://notcve.org/view.php?id=CVE-2024-36755
27 Jun 2024 — D-Link DIR-1950 up to v1.11B03 does not validate SSL certificates when requesting the latest firmware version and downloading URL. This can allow attackers to downgrade the firmware version or change the downloading URL via a man-in-the-middle attack. • https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10401 • CWE-599: Missing Validation of OpenSSL Certificate •
CVSS: 10.0EPSS: 3%CPEs: 1EXPL: 0CVE-2024-5299 – D-Link D-View execMonitorScript Exposed Dangerous Method Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2024-5299
23 May 2024 — D-Link D-View execMonitorScript Exposed Dangerous Method Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of D-Link D-View. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the execMonitorScript method. The issue results from an exposed dangerous method. • https://www.zerodayinitiative.com/advisories/ZDI-24-450 • CWE-749: Exposed Dangerous Method or Function •
CVSS: 10.0EPSS: 3%CPEs: 1EXPL: 0CVE-2024-5298 – D-Link D-View queryDeviceCustomMonitorResult Exposed Dangerous Method Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2024-5298
23 May 2024 — D-Link D-View queryDeviceCustomMonitorResult Exposed Dangerous Method Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of D-Link D-View. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the queryDeviceCustomMonitorResult method. The issue results from an exposed dangerous method. • https://www.zerodayinitiative.com/advisories/ZDI-24-449 • CWE-749: Exposed Dangerous Method or Function •
CVSS: 9.0EPSS: 2%CPEs: 1EXPL: 0CVE-2024-5297 – D-Link D-View executeWmicCmd Command Injection Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2024-5297
23 May 2024 — D-Link D-View executeWmicCmd Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of D-Link D-View. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the executeWmicCmd method. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. • https://www.zerodayinitiative.com/advisories/ZDI-24-448 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-5296 – D-Link D-View Use of Hard-coded Cryptographic Key Authentication Bypass Vulnerability
https://notcve.org/view.php?id=CVE-2024-5296
23 May 2024 — D-Link D-View Use of Hard-coded Cryptographic Key Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of D-Link D-View. Authentication is not required to exploit this vulnerability. The specific flaw exists within the TokenUtils class. The issue results from a hard-coded cryptographic key. • https://www.zerodayinitiative.com/advisories/ZDI-24-447 • CWE-321: Use of Hard-coded Cryptographic Key •
CVSS: 8.8EPSS: 1%CPEs: 1EXPL: 0CVE-2024-5295 – D-Link G416 flupl self Command Injection Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2024-5295
23 May 2024 — D-Link G416 flupl self Command Injection Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link G416 wireless routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the HTTP service listening on TCP port 80. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. • https://www.zerodayinitiative.com/advisories/ZDI-24-446 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 7.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-5292 – D-Link Network Assistant Uncontrolled Search Path Element Local Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2024-5292
23 May 2024 — D-Link Network Assistant Uncontrolled Search Path Element Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of D-Link Network Assistant. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the DNACore service. The service loads a file from an unsecured location. • https://www.zerodayinitiative.com/advisories/ZDI-24-443 • CWE-427: Uncontrolled Search Path Element •
CVSS: 10.0EPSS: 1%CPEs: 1EXPL: 0CVE-2024-5291 – D-Link DIR-2150 GetDeviceSettings Target Command Injection Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2024-5291
23 May 2024 — D-Link DIR-2150 GetDeviceSettings Target Command Injection Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DIR-2150 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the SOAP API interface, which listens on TCP port 80 by default. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. • https://www.zerodayinitiative.com/advisories/ZDI-24-442 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •