CVSS: 9.8EPSS: 92%CPEs: 40EXPL: 9CVE-2024-3273 – D-Link Multiple NAS Devices Command Injection Vulnerability
https://notcve.org/view.php?id=CVE-2024-3273
A vulnerability, which was classified as critical, was found in D-Link DNS-320L, DNS-325, DNS-327L and DNS-340L up to 20240403. Affected is an unknown function of the file /cgi-bin/nas_sharing.cgi of the component HTTP GET Request Handler. The manipulation of the argument system leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. • https://github.com/Chocapikk/CVE-2024-3273 https://github.com/adhikara13/CVE-2024-3273 https://github.com/ThatNotEasy/CVE-2024-3273 https://github.com/K3ysTr0K3R/CVE-2024-3273-EXPLOIT https://github.com/mrrobot0o/CVE-2024-3273- https://github.com/yarienkiva/honeypot-dlink-CVE-2024-3273 https://github.com/OIivr/Turvan6rkus-CVE-2024-3273 https://github.com/X-Projetion/CVE-2024-3273-D-Link-Remote-Code-Execution-RCE https://github.com/netsecfish/dlink https://supportannouncement.us • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 10.0EPSS: 7%CPEs: 40EXPL: 2CVE-2024-3272 – D-Link Multiple NAS Devices Use of Hard-Coded Credentials Vulnerability
https://notcve.org/view.php?id=CVE-2024-3272
A vulnerability, which was classified as very critical, has been found in D-Link DNS-320L, DNS-325, DNS-327L and DNS-340L up to 20240403. This issue affects some unknown processing of the file /cgi-bin/nas_sharing.cgi of the component HTTP GET Request Handler. The manipulation of the argument user with the input messagebus leads to hard-coded credentials. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. • https://github.com/nickswink/D-Link-NAS-Devices-Unauthenticated-RCE https://github.com/netsecfish/dlink https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383 https://vuldb.com/?ctiid.259283 https://vuldb.com/?id.259283 • CWE-798: Use of Hard-coded Credentials •
CVSS: 9.8EPSS: 42%CPEs: 10EXPL: 0CVE-2014-7859
https://notcve.org/view.php?id=CVE-2014-7859
Stack-based buffer overflow in login_mgr.cgi in D-Link firmware DNR-320L and DNS-320LW before 1.04b08, DNR-322L before 2.10 build 03, DNR-326 before 2.10 build 03, and DNS-327L before 1.04b01 allows remote attackers to execute arbitrary code by crafting malformed "Host" and "Referer" header values. Un desbordamiento de búfer basado en pila en login_mgr.cgi en D-Link firmware DNR-320L y DNS-320LW en versiones anteriores a la 1.04b08, DNR-322L en versiones anteriores a la 2.10 build 03, DNR-326 en versiones anteriores a la 2.10 build 03, y DNS-327L en versiones anteriores a la 1.04b01 permite que atacantes remotos ejecuten código arbitrario mediante la manipulación de valores de cabecera "Host" y "Referer" con formato incorrecto. • http://packetstormsecurity.com/files/132075/D-Link-Bypass-Buffer-Overflow.html http://seclists.org/fulldisclosure/2015/May/125 http://www.search-lab.hu/media/D-Link_Security_advisory_3_0_public.pdf http://www.securityfocus.com/archive/1/535626/100/200/threaded http://www.securityfocus.com/bid/74878 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •