Severity
High
Analysis Summary
CVE-2024-5299 CVSS:8.8
D-Link D-View could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a flaw in the execMonitorScript method. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code in the context of root.
CVE-2024-5298 CVSS:8.8
D-Link D-View could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a flaw in the queryDeviceCustomMonitorResult method. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code in the context of root.
CVE-2024-5293 CVSS:8.8
D-Link DIR-2640 Routers are vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the prog.cgi script. By sending specially crafted HNAP requests, a remote attacker could overflow a buffer and execute arbitrary code in the context of root.
CVE-2024-5292 CVSS:7.3
D-Link Network Assistant could allow a local authenticated attacker to gain elevated privileges on the system, caused by an uncontrolled search path element flaw in the DNACore service. An authenticated attacker could exploit this vulnerability to gain elevated privileges and execute arbitrary code in the context of SYSTEM.
Impact
- Gain Access
- Privilege Escalation
Indicators of Compromise
CVE
- CVE-2024-5299
- CVE-2024-5298
- CVE-2024-5293
- CVE-2024-5292
Affected Vendors
Affected Products
- D-Link D-View
- D-Link DIR-2640
- D-Link Network Assistant
Remediation
Upgrade to the latest version of D-View, available from the D-Link Website.