CVE-2024-8128 Information

Description

A vulnerability which was classified as critical has been found in D-Link DNS-120 DNR-202L DNS-315L DNS-320 DNS-320L DNS-320LW DNS-321 DNR-322L DNS-323 DNS-325 DNS-326 DNS-327L DNR-326 DNS-340L DNS-343 DNS-345 DNS-726-4 DNS-1100-4 DNS-1200-05 and DNS-1550-04 up to 20240814. This issue affects the function cgi_add_zip of the file /cgi-bin/webfile_mgr.cgi of the component HTTP POST Request Handler. The manipulation of the argument path leads to command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced.

Reference

https://vuldb.com/?id.275699 https://vuldb.com/?ctiid.275699 https://vuldb.com/?submit.396237 https://github.com/BuaaIOTTeam/Iot_Dlink_NAS/blob/main/DNS_cgi_add_zip.md https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383 https://www.dlink.com/