CVE-2024-8131

Name of the Vulnerable Software and Affected Versions: D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05, and DNS-1550-04 up to 20240814

Description: A critical issue affects the function module enable disable of the file /cgi-bin/apkg mgr.cgi in the component HTTP POST Request Handler. The manipulation of the argument f module name leads to command injection. This issue can be exploited remotely. The products affected by this issue are no longer supported by the maintainer and should be retired and replaced.

Recommendations: As a temporary workaround, consider disabling the module enable disable function until the issue is resolved. Restrict access to the /cgi-bin/apkg mgr.cgi file to minimize the risk of exploitation. Avoid using the argument f module name in the affected HTTP POST Request Handler until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.