CVE-2024-7922

Name of the Vulnerable Software and Affected Versions D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05, and DNS-1550-04 up to 20240814

Description A critical issue affects the function cgi audio search, cgi create playlist, cgi get album all tracks, cgi get alltracks editlist, cgi get artist all album, cgi get genre all tracks, cgi get tracks list, cgi set airplay content, and cgi write playlist of the file /cgi-bin/myMusic.cgi. This issue leads to command injection and can be exploited remotely. The exploit has been disclosed to the public. Note that this issue only affects products that are no longer supported by the maintainer and should be retired and replaced.

Recommendations As a temporary workaround, consider disabling the cgi audio search, cgi create playlist, cgi get album all tracks, cgi get alltracks editlist, cgi get artist all album, cgi get genre all tracks, cgi get tracks list, cgi set airplay content, and cgi write playlist functions of the /cgi-bin/myMusic.cgi file until a patch is available. Restrict access to the /cgi-bin/myMusic.cgi file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.