CVSS: 6.9EPSS: 0%CPEs: 12EXPL: 1CVE-2024-10916 – D-Link DNS-320/DNS-320LW/DNS-325/DNS-340L HTTP GET Request info.xml information disclosure
https://notcve.org/view.php?id=CVE-2024-10916
06 Nov 2024 — A vulnerability classified as problematic has been found in D-Link DNS-320, DNS-320LW, DNS-325 and DNS-340L up to 20241028. This affects an unknown part of the file /xml/info.xml of the component HTTP GET Request Handler. The manipulation leads to information disclosure. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. • https://netsecfish.notion.site/Information-Disclosure-Vulnerability-Report-in-xml-info-xml-for-D-Link-NAS-12d6b683e67c8019a311e699582f51b6?pvs=4 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-266: Incorrect Privilege Assignment CWE-284: Improper Access Control •
CVSS: 9.2EPSS: 26%CPEs: 12EXPL: 1CVE-2024-10915 – D-Link DNS-320/DNS-320LW/DNS-325/DNS-340L account_mgr.cgi cgi_user_add os command injection
https://notcve.org/view.php?id=CVE-2024-10915
06 Nov 2024 — A vulnerability was found in D-Link DNS-320, DNS-320LW, DNS-325 and DNS-340L up to 20241028. It has been rated as critical. Affected by this issue is the function cgi_user_add of the file /cgi-bin/account_mgr.cgi?cmd=cgi_user_add. The manipulation of the argument group leads to os command injection. • https://netsecfish.notion.site/Command-Injection-Vulnerability-in-group-parameter-for-D-Link-NAS-12d6b683e67c803fa1a0c0d236c9a4c5?pvs=4 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-707: Improper Neutralization •
CVSS: 9.8EPSS: 16%CPEs: 12EXPL: 14CVE-2024-10914 – D-Link DNS-320/DNS-320LW/DNS-325/DNS-340L account_mgr.cgi cgi_user_add os command injection
https://notcve.org/view.php?id=CVE-2024-10914
06 Nov 2024 — A vulnerability was found in D-Link DNS-320, DNS-320LW, DNS-325 and DNS-340L up to 20241028. It has been declared as critical. Affected by this vulnerability is the function cgi_user_add of the file /cgi-bin/account_mgr.cgi?cmd=cgi_user_add. The manipulation of the argument name leads to os command injection. • https://packetstorm.news/files/id/183163 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-707: Improper Neutralization •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-51023
https://notcve.org/view.php?id=CVE-2024-51023
05 Nov 2024 — D-Link DIR_823G 1.0.2B05 was discovered to contain a command injection vulnerability via the Address parameter in the SetNetworkTomographySettings function. This vulnerability allows attackers to execute arbitrary OS commands via a crafted request. Se descubrió que D-Link DIR_823G 1.0.2B05 contiene una vulnerabilidad de inyección de comandos a través del parámetro Address en la función SetNetworkTomographySettings. Esta vulnerabilidad permite a los atacantes ejecutar comandos arbitrarios del sistema operati... • https://github.com/pjqwudi1/my_vuln/blob/main/D-link4/vuln_42/42.md • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-51024
https://notcve.org/view.php?id=CVE-2024-51024
05 Nov 2024 — D-Link DIR_823G 1.0.2B05 was discovered to contain a command injection vulnerability via the HostName parameter in the SetWanSettings function. This vulnerability allows attackers to execute arbitrary OS commands via a crafted request. Se descubrió que D-Link DIR_823G 1.0.2B05 contiene una vulnerabilidad de inyección de comandos a través del parámetro HostName en la función SetWanSettings. Esta vulnerabilidad permite a los atacantes ejecutar comandos arbitrarios del sistema operativo a través de una solicit... • https://github.com/pjqwudi1/my_vuln/blob/main/D-link4/vuln_43/43.md • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-48271
https://notcve.org/view.php?id=CVE-2024-48271
30 Oct 2024 — D-Link DSL6740C v6.TR069.20211230 was discovered to use insecure default credentials for Administrator access, possibly allowing attackers to bypass authentication and escalate privileges on the device via a bruteforce attack. Se descubrió que D-Link DSL6740C v6.TR069.20211230 usa credenciales predeterminadas inseguras para el acceso de administrador, lo que posiblemente permita a los atacantes eludir la autenticación y aumentar los privilegios en el dispositivo a través de un ataque de fuerza bruta. • https://gist.github.com/stevenyu113228/e264c145d6e6e6b59cf53fddc27409ad#1--predictable-administrator-credentials-in-d-link-dsl6740c-modem • CWE-521: Weak Password Requirements •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-48272
https://notcve.org/view.php?id=CVE-2024-48272
30 Oct 2024 — D-Link DSL6740C v6.TR069.20211230 was discovered to use an insecure default Wifi password, possibly allowing attackers to connect to the device via a bruteforce attack. Se descubrió que D-Link DSL6740C v6.TR069.20211230 usa una contraseña de Wifi predeterminada insegura, lo que posiblemente permite a los atacantes conectarse al dispositivo a través de un ataque de fuerza bruta. • https://gist.github.com/stevenyu113228/e264c145d6e6e6b59cf53fddc27409ad#2--predictable-wifi-password-in-d-link-dsl6740c-modem • CWE-521: Weak Password Requirements •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2024-48631
https://notcve.org/view.php?id=CVE-2024-48631
17 Oct 2024 — D-Link DIR_882_FW130B06 and DIR_878 DIR_878_FW130B08 were discovered to contain a command injection vulnerability via the SSID parameter in the SetWLanRadioSettings function. This vulnerability allows attackers to execute arbitrary OS commands via a crafted POST request. • https://github.com/pjqwudi1/my_vuln/blob/main/D-link4/vuln_32/32.md • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2024-48635
https://notcve.org/view.php?id=CVE-2024-48635
17 Oct 2024 — D-Link DIR_882_FW130B06 and DIR_878 DIR_878_FW130B08 were discovered to contain a command injection vulnerability via the VLANID:2/VID parameter in the SetVLANSettings function. This vulnerability allows attackers to execute arbitrary OS commands via a crafted POST request. • https://github.com/pjqwudi1/my_vuln/tree/main/D-link4/vuln_38 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2024-48629
https://notcve.org/view.php?id=CVE-2024-48629
17 Oct 2024 — D-Link DIR_882_FW130B06 and DIR_878 DIR_878_FW130B08 were discovered to contain a command injection vulnerability via the IPAddress parameter in the SetGuestZoneRouterSettings function. This vulnerability allows attackers to execute arbitrary OS commands via a crafted POST request. • https://github.com/pjqwudi1/my_vuln/blob/main/D-link4/vuln_34/34.md • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •