CVE-2024-11066

The D-Link DSL6740C modem has an OS Command Injection vulnerability, allowing remote attackers with administrator privileges to inject and execute arbitrary system commands through the specific web page.

CVSS v3 7.2 HIGH

7.2^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.twcert.org.tw/en/cp-139-8232-5d94e-2.html	Third Party Advisory
https://www.twcert.org.tw/tw/cp-132-8225-3d882-1.html	Third Party Advisory
https://www.bleepingcomputer.com/news/security/d-link-wont-fix-critical-bug-in-60-000-exposed-eol-modems/

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:dlink:dsl6740c_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:dlink:dsl6740c:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2024-11-11 08:15

Updated : 2024-11-24 15:15

NVD link : CVE-2024-11066

Mitre link : CVE-2024-11066

CVE.ORG link : CVE-2024-11066

JSON object : View

Products Affected

dlink

dsl6740c
dsl6740c_firmware

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

{"id": "CVE-2024-11066", "cveTags": [{"tags": ["unsupported-when-assigned"], "sourceIdentifier": "twcert@cert.org.tw"}], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "twcert@cert.org.tw", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.2}]}, "published": "2024-11-11T08:15:07.730", "references": [{"url": "https://www.twcert.org.tw/en/cp-139-8232-5d94e-2.html", "tags": ["Third Party Advisory"], "source": "twcert@cert.org.tw"}, {"url": "https://www.twcert.org.tw/tw/cp-132-8225-3d882-1.html", "tags": ["Third Party Advisory"], "source": "twcert@cert.org.tw"}, {"url": "https://www.bleepingcomputer.com/news/security/d-link-wont-fix-critical-bug-in-60-000-exposed-eol-modems/", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "twcert@cert.org.tw", "description": [{"lang": "en", "value": "CWE-78"}]}], "descriptions": [{"lang": "en", "value": "The D-Link DSL6740C modem has an OS Command Injection vulnerability, allowing remote attackers with administrator privileges to inject and execute arbitrary system commands through the specific web page."}, {"lang": "es", "value": "El m\u00f3dem D-Link DSL6740C tiene una vulnerabilidad de inyecci\u00f3n de comandos del sistema operativo, que permite a atacantes remotos con privilegios de administrador inyectar y ejecutar comandos de sistema arbitrarios a trav\u00e9s de la p\u00e1gina web espec\u00edfica."}], "lastModified": "2024-11-24T15:15:06.387", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:dlink:dsl6740c_firmware:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "702B0914-7B3E-4797-9D28-C1C680EC6668"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:dlink:dsl6740c:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "04466F44-FDB1-4ABF-84F1-C88CC175BCB9"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "twcert@cert.org.tw"}