一、 漏洞 CVE-2024-10914 基础信息
漏洞信息
# D-Link DNS-320/DNS-320LW/DNS-325/DNS-340L account_mgr.cgi cgi_user_add 命令注入漏洞
## 概述
D-Link DNS-320, DNS-320LW, DNS-325 和 DNS-340L 版本在20241028之前的软件存在一个关键漏洞。该漏洞影响了文件 `/cgi-bin/account_mgr.cgi?cmd=cgi_user_add` 中的 `cgi_user_add` 函数。
## 影响版本
- D-Link DNS-320
- D-Link DNS-320LW
- D-Link DNS-325
- D-Link DNS-340L
版本号:20241028及之前的版本
## 细节
该漏洞允许通过操纵参数 `name` 导致操作系统命令注入。攻击者可以通过远程方式发起攻击,尽管攻击的复杂性较高,且利用难度较大。该漏洞的利用方法已被公开,可能会被恶意利用。
## 影响
- 攻击者可以通过远程方式利用此漏洞进行操作系统命令注入。
- 由于漏洞利用难度较高,但方法已被公开,存在潜在的被恶意利用的风险。
提示
神龙会尽力确保数据准确,但也请结合实际情况进行甄别与判断。
神龙祝您一切顺利!
漏洞标题
漏洞描述信息
CVSS信息
漏洞类别
漏洞标题
漏洞描述信息
CVSS信息
漏洞类别
二、漏洞 CVE-2024-10914 的公开POC
| # | POC 描述 | 源链接 | 神龙链接 |
|---|---|---|---|
| 1 | Exploit for cve-2024-10914: D-Link DNS-320, DNS-320LW, DNS-325, DNS-340L Version 1.00, Version 1.01.0914.2012, Version 1.01, Version 1.02, Version 1.08 Command Injection | https://github.com/imnotcha0s/CVE-2024-10914 | POC详情 |
| 2 | POC - CVE-2024–10914- Command Injection Vulnerability in `name` parameter for D-Link NAS | https://github.com/verylazytech/CVE-2024-10914 | POC详情 |
| 3 | 这是一个D-Link rce漏洞 检测程序 | https://github.com/Bu0uCat/D-Link-NAS-CVE-2024-10914- | POC详情 |
| 4 | CVE-2024-10914_Manual testing with burpsuite | https://github.com/Egi08/CVE-2024-10914 | POC详情 |
| 5 | CVE-2024-10914 is a critical command injection vulnerability affecting several legacy D-Link Network Attached Storage (NAS) devices. | https://github.com/ThemeHackers/CVE-2024-10914 | POC详情 |
| 6 | dlink vulnerability thing in python and rust | https://github.com/retuci0/cve-2024-10914-port | POC详情 |
| 7 | A PoC exploit for CVE-2024-10914 - D-Link Remote Code Execution (RCE) | https://github.com/K3ysTr0K3R/CVE-2024-10914-EXPLOIT | POC详情 |
| 8 | CVE-2024-10914 is a critical vulnerability affecting the D-Link DNS-320, DNS-320LW, DNS-325, and DNS-340L up to version 20241028. The function cgi_user_add in the file /cgi-bin/account_mgr.cgi?cmd=cgi_user_add is the culprit, allowing attackers to inject operating system commands remotely. | https://github.com/jahithoque/CVE-2024-10914-Exploit | POC详情 |
| 9 | CVE-2024-10914 D-Link Remote Code Execution (RCE) | https://github.com/redspy-sec/D-Link | POC详情 |
| 10 | A PoC exploit for CVE-2024-10914 - D-Link Remote Code Execution (RCE) | https://github.com/dragonXZH/CVE-2024-10914 | POC详情 |
| 11 | None | https://github.com/yenyangmjaze/cve-2024-10914 | POC详情 |
| 12 | CVE-2024-10914 Shell Exploit | https://github.com/silverxpymaster/CVE-2024-10914-Exploit | POC详情 |
| 13 | A vulnerability was found in D-Link DNS-320, DNS-320LW, DNS-325 and DNS-340L up to 20241028. It has been declared as critical. Affected by this vulnerability is the function cgi_user_add of the file /cgi-bin/account_mgr.cgi?cmd=cgi_user_add. The manipulation of the argument name leads to os command injection. | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-10914.yaml | POC详情 |
| 14 | CVE-2024-10914 is a critical command injection vulnerability affecting several legacy D-Link Network Attached Storage (NAS) devices. | https://github.com/TH-SecForge/CVE-2024-10914 | POC详情 |
三、漏洞 CVE-2024-10914 的情报信息
-
-
标题: Smart Home, SMB and Enterprise solutions | D-Link -- 🔗来源链接
标签: product
-
标题: CVE-2024-10914 D-Link DNS-320/DNS-320LW/DNS-325/DNS-340L account_mgr.cgi cgi_user_add os command injection -- 🔗来源链接
标签: signature permissions-required
神龙速读
-
标题: CVE-2024-10914 D-Link DNS-320/DNS-320LW/DNS-325/DNS-340L account_mgr.cgi cgi_user_add os command injection -- 🔗来源链接
标签: vdb-entry technical-description
神龙速读
-
标题: Submit #432847: D-Link DNS-320, DNS-320LW, DNS-325, DNS-340L Version 1.00, Version 1.01.0914.2012, Version 1.01, Version 1.02, Version 1.08 Command Injection -- 🔗来源链接
标签: third-party-advisory
神龙速读
- https://nvd.nist.gov/vuln/detail/CVE-2024-10914
四、漏洞 CVE-2024-10914 的评论
暂无评论