CVSS: 6.5EPSS: 0%CPEs: 20EXPL: 1CVE-2024-7715 – D-Link DNS-1550-04 photocenter_mgr.cgi sprintf command injection
https://notcve.org/view.php?id=CVE-2024-7715
13 Aug 2024 — A vulnerability was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240812. It has been classified as critical. This affects the function sprintf of the file /cgi-bin/photocenter_mgr.cgi. The manipulation of the argument filter leads to command injection. It is possible to initiate the attack remotely. • https://github.com/BuaaIOTTeam/Iot_Dlink_NAS/blob/main/DNS_cgi_photo_search.md • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 9.8EPSS: 93%CPEs: 40EXPL: 9CVE-2024-3273 – D-Link Multiple NAS Devices Command Injection Vulnerability
https://notcve.org/view.php?id=CVE-2024-3273
04 Apr 2024 — A vulnerability, which was classified as critical, was found in D-Link DNS-320L, DNS-325, DNS-327L and DNS-340L up to 20240403. Affected is an unknown function of the file /cgi-bin/nas_sharing.cgi of the component HTTP GET Request Handler. The manipulation of the argument system leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. • https://github.com/Chocapikk/CVE-2024-3273 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 10.0EPSS: 6%CPEs: 40EXPL: 3CVE-2024-3272 – D-Link Multiple NAS Devices Use of Hard-Coded Credentials Vulnerability
https://notcve.org/view.php?id=CVE-2024-3272
04 Apr 2024 — A vulnerability, which was classified as very critical, has been found in D-Link DNS-320L, DNS-325, DNS-327L and DNS-340L up to 20240403. This issue affects some unknown processing of the file /cgi-bin/nas_sharing.cgi of the component HTTP GET Request Handler. The manipulation of the argument user with the input messagebus leads to hard-coded credentials. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. • https://github.com/nickswink/D-Link-NAS-Devices-Unauthenticated-RCE • CWE-798: Use of Hard-coded Credentials •
CVSS: 9.8EPSS: 16%CPEs: 10EXPL: 0CVE-2014-7859 – D-Link Bypass / Buffer Overflow
https://notcve.org/view.php?id=CVE-2014-7859
28 May 2015 — Stack-based buffer overflow in login_mgr.cgi in D-Link firmware DNR-320L and DNS-320LW before 1.04b08, DNR-322L before 2.10 build 03, DNR-326 before 2.10 build 03, and DNS-327L before 1.04b01 allows remote attackers to execute arbitrary code by crafting malformed "Host" and "Referer" header values. Un desbordamiento de búfer basado en pila en login_mgr.cgi en D-Link firmware DNR-320L y DNS-320LW en versiones anteriores a la 1.04b08, DNR-322L en versiones anteriores a la 2.10 build 03, DNR-326 en versiones a... • http://packetstormsecurity.com/files/132075/D-Link-Bypass-Buffer-Overflow.html • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 10.0EPSS: 0%CPEs: 14EXPL: 0CVE-2014-7857 – D-Link Bypass / Buffer Overflow
https://notcve.org/view.php?id=CVE-2014-7857
28 May 2015 — D-Link DNS-320L firmware before 1.04b12, DNS-327L before 1.03b04 Build0119, DNR-326 1.40b03, DNS-320B 1.02b01, DNS-345 1.03b06, DNS-325 1.05b03, and DNS-322L 2.00b07 allow remote attackers to bypass authentication and log in with administrator permissions by passing the cgi_set_wto command in the cmd parameter, and setting the spawned session's cookie to username=admin. DNS-320L firmware anterior a la versión 1.04b12, DNS-327L anterior a la versión 1.03b04 Build0119, DNR-326 versión 1.40b03, DNS-320B versió... • http://packetstormsecurity.com/files/132075/D-Link-Bypass-Buffer-Overflow.html • CWE-287: Improper Authentication •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2014-7858 – D-Link Bypass / Buffer Overflow
https://notcve.org/view.php?id=CVE-2014-7858
28 May 2015 — The check_login function in D-Link DNR-326 before 2.10 build 03 allows remote attackers to bypass authentication and log in by setting the username cookie parameter to an arbitrary string. La función check_login en D-Link DNR-326 en versiones anteriores a la 2.10 build 03 permite que atacantes remotos omitan la autenticación e inicien sesión estableciendo el parámetro username cookie en una cadena arbitraria. SEARCH-LAB performed an independent security assessment on four different D-Link devices. The asses... • http://packetstormsecurity.com/files/132075/D-Link-Bypass-Buffer-Overflow.html • CWE-287: Improper Authentication •