CVE-2021-28144

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2021-28144
prog.cgi on D-Link DIR-3060 devices before 1.11b04 HF2 allows remote authenticated users to inject arbitrary commands in an admin or root context because SetVirtualServerSettings calls CheckArpTables, which calls popen unsafely.

8.8 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

9.0 /10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:N/AC:L/Au:S/C:C/I:C/A:C

Exploitability : 8.0 / Impact : 10.0

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References
Link Resource
http://packetstormsecurity.com/files/161757/D-Link-DIR-3060-1.11b04-Command-Injection.html Exploit Third Party Advisory VDB Entry
http://seclists.org/fulldisclosure/2021/Mar/23 Mailing List Third Party Advisory
https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10208 Patch Vendor Advisory
https://www.iot-inspector.com/blog/advisory-d-link-dir-3060/ Exploit Third Party Advisory
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:dlink:dir-3060_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dir-3060:-:*:*:*:*:*:*:*
History

19 Mar 2021, 16:21

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : 9.0
v3 : 8.8
CWE CWE-77
CPE cpe:2.3:o:dlink:dir-3060_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dir-3060:-:*:*:*:*:*:*:*
References (MISC) https://www.iot-inspector.com/blog/advisory-d-link-dir-3060/ - (MISC) https://www.iot-inspector.com/blog/advisory-d-link-dir-3060/ - Exploit, Third Party Advisory
References (CONFIRM) https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10208 - (CONFIRM) https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10208 - Patch, Vendor Advisory
References (MISC) http://packetstormsecurity.com/files/161757/D-Link-DIR-3060-1.11b04-Command-Injection.html - (MISC) http://packetstormsecurity.com/files/161757/D-Link-DIR-3060-1.11b04-Command-Injection.html - Exploit, Third Party Advisory, VDB Entry
References (FULLDISC) http://seclists.org/fulldisclosure/2021/Mar/23 - (FULLDISC) http://seclists.org/fulldisclosure/2021/Mar/23 - Mailing List, Third Party Advisory

12 Mar 2021, 18:15

Type Values Removed Values Added
References
  • (MISC) http://packetstormsecurity.com/files/161757/D-Link-DIR-3060-1.11b04-Command-Injection.html -

11 Mar 2021, 20:15

Type Values Removed Values Added
References
  • (FULLDISC) http://seclists.org/fulldisclosure/2021/Mar/23 -

11 Mar 2021, 17:15

Type Values Removed Values Added
New CVE
Information

Published : 2021-03-11 17:15

Updated : 2023-12-10 13:41

NVD link : CVE-2021-28144

Mitre link : CVE-2021-28144

CVE.ORG link : CVE-2021-28144

JSON object : View

Products Affected

dlink

  • dir-3060
  • dir-3060_firmware
CWE
CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')