CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-38437 – D-Link - CWE-288: Authentication Bypass Using an Alternate Path or Channel
https://notcve.org/view.php?id=CVE-2024-38437
21 Jul 2024 — D-Link - CWE-288:Authentication Bypass Using an Alternate Path or Channel D-Link - CWE-288: omisión de autenticación mediante una ruta o canal alternativo • https://www.gov.il/en/Departments/faq/cve_advisories • CWE-288: Authentication Bypass Using an Alternate Path or Channel •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-39962
https://notcve.org/view.php?id=CVE-2024-39962
19 Jul 2024 — D-Link DIR-823X AX3000 Dual-Band Gigabit Wireless Router v21_D240126 was discovered to contain a remote code execution (RCE) vulnerability in the ntp_zone_val parameter at /goform/set_ntp. This vulnerability is exploited via a crafted HTTP request. Se descubrió que D-Link DIR-823X AX3000 Dual-Band Gigabit Wireless Router v21_D240126 contiene una vulnerabilidad de ejecución remota de código (RCE) en el parámetro ntp_zone_val en /goform/set_ntp. Esta vulnerabilidad se explota mediante una solicitud HTTP manip... • https://gist.github.com/Swind1er/40c33f1b1549028677cb4e2e5ef69109 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-40505
https://notcve.org/view.php?id=CVE-2024-40505
16 Jul 2024 — Directory Traversal vulnerability in D-Link DAP-1650 Firmware v.1.03 allows a local attacker to escalate privileges via the hedwig.cgi component. La vulnerabilidad de Directory Traversal en el firmware D-Link DAP-1650 v.1.03 permite a un atacante local escalar privilegios a través del componente hedwig.cgi. **UNSUPPORTED WHEN ASSIGNED** Directory Traversal vulnerability in D-Link DAP-1650 Firmware v.1.03 allows a local attacker to escalate privileges via the hedwig.cgi component. • https://coldwx.github.io/CVE-2024-40505.html • CWE-35: Path Traversal: '.../ •
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 1CVE-2024-39202
https://notcve.org/view.php?id=CVE-2024-39202
08 Jul 2024 — D-Link DIR-823X firmware - 240126 was discovered to contain a remote command execution (RCE) vulnerability via the dhcpd_startip parameter at /goform/set_lan_settings. Se descubrió que el firmware D-Link DIR-823X - 240126 contiene una vulnerabilidad de ejecución remota de comandos (RCE) a través del parámetro dhcpd_startip en /goform/set_lan_settings. • https://gist.github.com/Swind1er/40c33f1b1549028677cb4e2e5ef69109 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 1CVE-2024-6525 – D-Link DAR-7000 decodmail.php deserialization
https://notcve.org/view.php?id=CVE-2024-6525
05 Jul 2024 — A vulnerability was found in D-Link DAR-7000 up to 20230922. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /log/decodmail.php. The manipulation of the argument file leads to deserialization. The attack may be launched remotely. • https://github.com/flyyue2001/cve/blob/main/D-LINK%20-DAR-7000_rce_%20decodmail.md • CWE-502: Deserialization of Untrusted Data •
CVSS: 8.8EPSS: 0%CPEs: 15EXPL: 0CVE-2024-6045 – D-Link router - Hidden Backdoor
https://notcve.org/view.php?id=CVE-2024-6045
17 Jun 2024 — Certain models of D-Link wireless routers contain an undisclosed factory testing backdoor. Unauthenticated attackers on the local area network can force the device to enable Telnet service by accessing a specific URL and can log in by using the administrator credentials obtained from analyzing the firmware. Ciertos modelos de enrutadores inalámbricos D-Link contienen una puerta trasera de prueba de fábrica no revelada. Los atacantes no autenticados en la red de área local pueden obligar al dispositivo a hab... • https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10398 • CWE-798: Use of Hard-coded Credentials CWE-912: Hidden Functionality •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37630
https://notcve.org/view.php?id=CVE-2024-37630
13 Jun 2024 — D-Link DIR-605L v2.13B01 was discovered to contain a hardcoded password vulnerability in /etc/passwd, which allows attackers to log in as root. Se descubrió que D-Link DIR-605L v2.13B01 contiene una vulnerabilidad de contraseña codificada en /etc/passwd, que permite a los atacantes iniciar sesión como root. • https://github.com/s4ndw1ch136/IOT-vuln-reports/blob/main/D-link/DIR-605L/README.md • CWE-798: Use of Hard-coded Credentials •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-5293 – D-Link DIR-2640 HTTP Referer Stack-Based Buffer Overflow Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2024-5293
23 May 2024 — D-Link DIR-2640 HTTP Referer Stack-Based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DIR-2640-US routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within prog.cgi, which handles HNAP requests made to the lighttpd webserver listening on TCP ports 80 and 443. The issue results from the lack of proper validation of the length of user-supplied ... • https://www.zerodayinitiative.com/advisories/ZDI-24-444 • CWE-121: Stack-based Buffer Overflow •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-33343
https://notcve.org/view.php?id=CVE-2024-33343
26 Apr 2024 — D-Link DIR-822+ V1.0.5 was found to contain a command injection in ChgSambaUserSettings function of prog.cgi, which allows remote attackers to execute arbitrary commands via shell. Se descubrió que D-Link DIR-822+ V1.0.5 contenía una inyección de comando en la función ChgSambaUserSettings de prog.cgi, que permite a atacantes remotos ejecutar comandos arbitrarios a través del shell. • http://www.dlink.com.cn/techsupport/ProductInfo.aspx?m=DIR-822%2B • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.8EPSS: 94%CPEs: 40EXPL: 10CVE-2024-3273 – D-Link Multiple NAS Devices Command Injection Vulnerability
https://notcve.org/view.php?id=CVE-2024-3273
04 Apr 2024 — A vulnerability, which was classified as critical, was found in D-Link DNS-320L, DNS-325, DNS-327L and DNS-340L up to 20240403. Affected is an unknown function of the file /cgi-bin/nas_sharing.cgi of the component HTTP GET Request Handler. The manipulation of the argument system leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. • https://github.com/Chocapikk/CVE-2024-3273 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •