A vulnerability was identified in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20260205. Affected is the function cgi_create_import_users/cgi_user_batch_create/cgi_user_set_quota/cgi_user_del/cgi_user_modify/cgi_group_set_quota/cgi_group_modify/cgi_group_add/cgi_user_add/cgi_get_modify_group_info/cgi_chg_admin_pw of the file /cgi-bin/account_mgr.cgi. The manipulation leads to command injection.
It is possible to initiate the attack remotely. The exploit is publicly available and might be used.
Attack Parameters
Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Attack Requirements
None
No additional conditions
Privileges Required
Low
Basic privileges needed
User Interaction
None
No user interaction needed
Impact Assessment
Confidentiality
Low
Partial data leak
Integrity
Low
Partial data modification
Availability
Low
Partial disruption
CVSS Vector v4.0
Weakness Type (CWE)
References 15
https://github.com/wudipjq/my_vuln/blob/main/D-Link8/vuln_148/148.md
cna@vuldb.com
https://github.com/wudipjq/my_vuln/blob/main/D-Link8/vuln_149/149.md
cna@vuldb.com
https://vuldb.com/?ctiid.351120
cna@vuldb.com
https://vuldb.com/?id.351120
cna@vuldb.com
https://vuldb.com/?submit.770429
cna@vuldb.com
https://vuldb.com/?submit.770430
cna@vuldb.com
https://vuldb.com/?submit.770431
cna@vuldb.com
https://vuldb.com/?submit.770432
cna@vuldb.com
https://vuldb.com/?submit.770433
cna@vuldb.com
https://vuldb.com/?submit.770434
cna@vuldb.com
https://vuldb.com/?submit.770435
cna@vuldb.com
https://vuldb.com/?submit.770436
cna@vuldb.com
https://vuldb.com/?submit.770437
cna@vuldb.com
https://vuldb.com/?submit.770438
cna@vuldb.com
https://www.dlink.com/
cna@vuldb.com