D-Link NAS - Command Injection via Group Parameter (CVE-2024-10915)

A vulnerability was found in D-Link DNS-320, DNS-320LW, DNS-325 and DNS-340L up to 20241028. It has been rated as critical. Affected by this issue is the function cgi_user_add of the file /cgi-bin/account_mgr.cgi?cmd=cgi_user_add. The manipulation of the argument group leads to os command injection.

于2024年10月28日前，D-Link DNS-320、DNS-320LW、DNS-325及DNS-340L系列设备被发现存在一处漏洞。该漏洞被评为严重等级。受此问题影响的是位于/cgi-bin/account_mgr.cgi?cmd=cgi_user_add文件中的cgi_user_add功能。对group参数的操纵将导致操作系统命令注入。