CVSS: 9.8EPSS: 92%CPEs: 40EXPL: 8CVE-2024-3273 – D-Link Multiple NAS Devices Command Injection Vulnerability
https://notcve.org/view.php?id=CVE-2024-3273
A vulnerability, which was classified as critical, was found in D-Link DNS-320L, DNS-325, DNS-327L and DNS-340L up to 20240403. Affected is an unknown function of the file /cgi-bin/nas_sharing.cgi of the component HTTP GET Request Handler. The manipulation of the argument system leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. • https://github.com/Chocapikk/CVE-2024-3273 https://github.com/adhikara13/CVE-2024-3273 https://github.com/ThatNotEasy/CVE-2024-3273 https://github.com/K3ysTr0K3R/CVE-2024-3273-EXPLOIT https://github.com/mrrobot0o/CVE-2024-3273- https://github.com/yarienkiva/honeypot-dlink-CVE-2024-3273 https://github.com/OIivr/Turvan6rkus-CVE-2024-3273 https://github.com/netsecfish/dlink https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383 https://vuldb.com/?ctiid.25928 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 10.0EPSS: 5%CPEs: 40EXPL: 2CVE-2024-3272 – D-Link Multiple NAS Devices Use of Hard-Coded Credentials Vulnerability
https://notcve.org/view.php?id=CVE-2024-3272
A vulnerability, which was classified as very critical, has been found in D-Link DNS-320L, DNS-325, DNS-327L and DNS-340L up to 20240403. This issue affects some unknown processing of the file /cgi-bin/nas_sharing.cgi of the component HTTP GET Request Handler. The manipulation of the argument user with the input messagebus leads to hard-coded credentials. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. • https://github.com/nickswink/D-Link-NAS-Devices-Unauthenticated-RCE https://github.com/netsecfish/dlink https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383 https://vuldb.com/?ctiid.259283 https://vuldb.com/?id.259283 • CWE-798: Use of Hard-coded Credentials •
CVSS: 9.8EPSS: 97%CPEs: 2EXPL: 1CVE-2020-25506 – D-Link DNS-320 Device Command Injection Vulnerability
https://notcve.org/view.php?id=CVE-2020-25506
D-Link DNS-320 FW v2.06B01 Revision Ax is affected by command injection in the system_mgr.cgi component, which can lead to remote arbitrary code execution. D-Link DNS-320 FW versión v2.06B01 Revisión Ax, está afectado por una inyección de comandos en el componente system_mgr.cgi, que puede conllevar a una ejecución de código arbitraria remota D-Link DNS-320 device contains a command injection vulnerability in the sytem_mgr.cgi component that may allow for remote code execution. • https://gist.github.com/WinMin/6f63fd1ae95977e0e2d49bd4b5f00675 https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10183 https://www.dlink.com/en/security-bulletin • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 10.0EPSS: 97%CPEs: 2EXPL: 1CVE-2019-16057 – D-Link DNS-320 Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2019-16057
The login_mgr.cgi script in D-Link DNS-320 through 2.05.B10 is vulnerable to remote command injection. El archivo script login_mgr.cgi en D-Link DNS-320 versiones hasta 2.05.B10, es vulnerable a la inyección de comandos remota. The login_mgr.cgi script in D-Link DNS-320 is vulnerable to remote code execution. • https://blog.cystack.net/d-link-dns-320-rce https://www.ftc.gov/system/files/documents/cases/dlink_proposed_order_and_judgment_7-2-19.pdf • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •