CVE-2024-42812

In D-Link DIR-860L v2.03, there is a buffer overflow vulnerability due to the lack of length verification for the SID field in gena.cgi. Attackers who successfully exploit this vulnerability can cause the remote target device to crash or execute arbitrary commands.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://gist.github.com/XiaoCurry/574ed9c2b0d12cd0b45399116d82121c	Exploit Third Party Advisory
https://www.dlink.com/en/security-bulletin/	Product

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:dlink:dir-860l_firmware:2.0.3:*:*:*:*:*:*:*

cpe:2.3:h:dlink:dir-860l:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2024-08-19 20:15

Updated : 2025-03-17 16:15

NVD link : CVE-2024-42812

Mitre link : CVE-2024-42812

CVE.ORG link : CVE-2024-42812

JSON object : View

Products Affected

dlink

dir-860l
dir-860l_firmware

CWE

CWE-120

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

{"id": "CVE-2024-42812", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2024-08-19T20:15:07.070", "references": [{"url": "https://gist.github.com/XiaoCurry/574ed9c2b0d12cd0b45399116d82121c", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.dlink.com/en/security-bulletin/", "tags": ["Product"], "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-120"}]}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-120"}]}], "descriptions": [{"lang": "en", "value": "In D-Link DIR-860L v2.03, there is a buffer overflow vulnerability due to the lack of length verification for the SID field in gena.cgi. Attackers who successfully exploit this vulnerability can cause the remote target device to crash or execute arbitrary commands."}, {"lang": "es", "value": "En D-Link DIR-860L v2.03, existe una vulnerabilidad de desbordamiento del b\u00fafer debido a la falta de verificaci\u00f3n de longitud para el campo SID en gena.cgi. Los atacantes que explotan con \u00e9xito esta vulnerabilidad pueden provocar que el dispositivo de destino remoto falle o ejecute comandos arbitrarios."}], "lastModified": "2025-03-17T16:15:22.480", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:dlink:dir-860l_firmware:2.0.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7383928C-851B-40C5-914C-83AB9CFD9748"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:dlink:dir-860l:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "CCDB9720-8F5A-4F02-A436-920CDAC15D69"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cve@mitre.org"}