CVE-2024-7715

Name of the Vulnerable Software and Affected Versions D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05, and DNS-1550-04 up to 20240812

Description A critical issue affects the function sprintf of the file /cgi-bin/photocenter mgr.cgi. The manipulation of the argument filter leads to command injection. It is possible to initiate the attack remotely. The issue has been disclosed to the public and may be used. This issue only affects products that are no longer supported by the maintainer, and the vendor has confirmed that the product is end-of-life.

Recommendations As a temporary workaround, consider disabling the sprintf function in the /cgi-bin/photocenter mgr.cgi file until the issue is resolved. Restrict access to the /cgi-bin/photocenter mgr.cgi file to minimize the risk of exploitation. Avoid using the filter argument in the affected API endpoint until the issue is resolved. Retire and replace affected products immediately, as they are no longer supported by the maintainer.