CVE-2024-42812

In D-Link DIR-860L v2.03, there is a buffer overflow vulnerability due to the lack of length verification for the SID field in gena.cgi. Attackers who successfully exploit this vulnerability can cause the remote target device to crash or execute arbitrary commands.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://gist.github.com/XiaoCurry/574ed9c2b0d12cd0b45399116d82121c	Exploit Third Party Advisory
https://www.dlink.com/en/security-bulletin/	Product

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:dlink:dir-860l_firmware:2.0.3:*:*:*:*:*:*:*

cpe:2.3:h:dlink:dir-860l:-:*:*:*:*:*:*:*

History

10 Oct 2024, 20:18

Type	Values Removed	Values Added
CPE		cpe:2.3:o:dlink:dir-860l_firmware:2.0.3:::::::* cpe:2.3:h:dlink:dir-860l:-:::::::*
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8
First Time		Dlink dir-860l Firmware Dlink Dlink dir-860l
CWE		CWE-120
References	~~() https://gist.github.com/XiaoCurry/574ed9c2b0d12cd0b45399116d82121c -~~	() https://gist.github.com/XiaoCurry/574ed9c2b0d12cd0b45399116d82121c - Exploit, Third Party Advisory
References	~~() https://www.dlink.com/en/security-bulletin/ -~~	() https://www.dlink.com/en/security-bulletin/ - Product

20 Aug 2024, 15:44

Type	Values Removed	Values Added
Summary		(es) En D-Link DIR-860L v2.03, existe una vulnerabilidad de desbordamiento del búfer debido a la falta de verificación de longitud para el campo SID en gena.cgi. Los atacantes que explotan con éxito esta vulnerabilidad pueden provocar que el dispositivo de destino remoto falle o ejecute comandos arbitrarios.

19 Aug 2024, 20:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-08-19 20:15

Updated : 2025-03-17 16:15

NVD link : CVE-2024-42812

Mitre link : CVE-2024-42812

CVE.ORG link : CVE-2024-42812

JSON object : View

Products Affected

dlink

dir-860l
dir-860l_firmware

CWE

CWE-120

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

{"id": "CVE-2024-42812", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2024-08-19T20:15:07.070", "references": [{"url": "https://gist.github.com/XiaoCurry/574ed9c2b0d12cd0b45399116d82121c", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.dlink.com/en/security-bulletin/", "tags": ["Product"], "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-120"}]}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-120"}]}], "descriptions": [{"lang": "en", "value": "In D-Link DIR-860L v2.03, there is a buffer overflow vulnerability due to the lack of length verification for the SID field in gena.cgi. Attackers who successfully exploit this vulnerability can cause the remote target device to crash or execute arbitrary commands."}, {"lang": "es", "value": "En D-Link DIR-860L v2.03, existe una vulnerabilidad de desbordamiento del b\u00fafer debido a la falta de verificaci\u00f3n de longitud para el campo SID en gena.cgi. Los atacantes que explotan con \u00e9xito esta vulnerabilidad pueden provocar que el dispositivo de destino remoto falle o ejecute comandos arbitrarios."}], "lastModified": "2025-03-17T16:15:22.480", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:dlink:dir-860l_firmware:2.0.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7383928C-851B-40C5-914C-83AB9CFD9748"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:dlink:dir-860l:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "CCDB9720-8F5A-4F02-A436-920CDAC15D69"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cve@mitre.org"}