CVE-2024-8131 Information

Description

A vulnerability was found in D-Link DNS-120 DNR-202L DNS-315L DNS-320 DNS-320L DNS-320LW DNS-321 DNR-322L DNS-323 DNS-325 DNS-326 DNS-327L DNR-326 DNS-340L DNS-343 DNS-345 DNS-726-4 DNS-1100-4 DNS-1200-05 and DNS-1550-04 up to 20240814 and classified as critical. Affected by this issue is the function module_enable_disable of the file /cgi-bin/apkg_mgr.cgi of the component HTTP POST Request Handler. The manipulation of the argument f_module_name leads to command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced.

Reference

https://vuldb.com/?id.275702 https://vuldb.com/?ctiid.275702 https://vuldb.com/?submit.396292 https://github.com/BuaaIOTTeam/Iot_Dlink_NAS/blob/main/DNS_module_enable_disable.md https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383 https://www.dlink.com/