Command Injection Vulnerability in D-Link Network Attached Storage Products
CVE-2024-7922

9.8CRITICAL

Key Information:

Vendor
Dell
Status
Dns-120 Firmware
Vendor
CVE Published:
19 August 2024

Summary

A command injection vulnerability has been identified in several D-Link Network Attached Storage (NAS) products, impacting the myMusic.cgi script. The vulnerability allows remote attackers to exploit several functions, including cgi_audio_search, cgi_create_playlist, and cgi_get_tracks_list. This risk arises from improper validation of user input, enabling attackers to execute arbitrary commands on the affected devices. Notably, only products no longer supported by D-Link are at risk, and users are advised to retire and replace these systems as they are vulnerable to exploitation. Public disclosure of this vulnerability intensifies the urgency for remediation.

References

https://vuldb.com/?id.275108
https://vuldb.com/?ctiid.275108
https://vuldb.com/?submit.391669

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

.