CVE-2024-8460

Name of the Vulnerable Software and Affected Versions D-Link DNS-320 version 2.02b01

Description A problematic issue has been found in the Web Management Interface of the D-Link DNS-320, specifically in the file /cgi-bin/widget api.cgi. The manipulation of the getHD, getSer, or getSys argument leads to information disclosure. This issue can be exploited remotely, but the complexity of an attack is rather high, and the exploitation is known to be difficult. The product is end-of-life and should be retired and replaced.

Recommendations As a temporary workaround, consider disabling the /cgi-bin/widget api.cgi file until the issue is resolved. Restrict access to the Web Management Interface to minimize the risk of exploitation. Avoid using the getHD, getSer, or getSys argument in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.