CVE-2024-8127 Information

Description

A vulnerability classified as critical was found in D-Link DNS-120 DNR-202L DNS-315L DNS-320 DNS-320L DNS-320LW DNS-321 DNR-322L DNS-323 DNS-325 DNS-326 DNS-327L DNR-326 DNS-340L DNS-343 DNS-345 DNS-726-4 DNS-1100-4 DNS-1200-05 and DNS-1550-04 up to 20240814. This vulnerability affects the function cgi_unzip of the file /cgi-bin/webfile_mgr.cgi of the component HTTP POST Request Handler. The manipulation of the argument path leads to command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced.

Reference

https://vuldb.com/?id.275698 https://vuldb.com/?ctiid.275698 https://vuldb.com/?submit.396236 https://github.com/BuaaIOTTeam/Iot_Dlink_NAS/blob/main/DNS_cgi_unzip.md https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383 https://www.dlink.com/