![]() ![]() An attack uses shell metacharacters in the senderemail parameter. This vulnerability is already verified on VIVOTEK Network Camera IB8369/FD8164/FD816BA most others have similar firmware that may be affected. ![]() '/cgi-bin/admin/testserver.cgi' of the web service in most of the VIVOTEK Network Cameras is vulnerable to shell command injection, which allows remote attackers to execute any shell command as root via a crafted HTTP request. '/cgi-bin/admin/downloadMedias.cgi' of the web service in most of the VIVOTEK Network Cameras is vulnerable, which allows remote attackers to read any file on the camera's Linux filesystem via a crafted HTTP request containing "." sequences. NOTE: the vendor sent a clarification on explaining that, although this CVE was first populated in July 2019, it is a historical vulnerability that does not apply to any current or recent Vivotek hardware or firmware. ** DISPUTED ** Vivotek FD8136 devices allow Remote Command Injection, related to BusyBox and wget. NOTE: The vendor has disputed this as a vulnerability and states that the issue does not cause a web server crash or have any other affect on it's performance. ** DISPUTED ** Vivotek FD8136 devices allow Remote Command Injection, aka "another command injection vulnerability in our target device," a different issue than CVE-2018-14494. ** DISPUTED ** Vivotek FD8136 devices allow remote memory corruption and remote code execution because of a stack-based buffer overflow, related to sprintf, vlocal_buff_4326, and set_getparam.cgi. Various VIVOTEK FD8*, FD9*, FE9*, IB8*, IB9*, IP9*, IZ9*, MS9*, SD9*, and other devices before XXXXXX-VVTK-xx06a allow remote attackers to execute arbitrary code. ![]() ![]() VIVOTEK FD8177 devices before XXXXXX-VVTK-xx06a allow CSRF. VIVOTEK FD8177 devices before XXXXXX-VVTK-xx06a allow remote attackers to execute arbitrary code (issue 1 of 2) via the ONVIF interface, (/onvif/device_service). VIVOTEK FD8177 devices before XXXXXX-VVTK-xx06a allow remote attackers to execute arbitrary code (issue 2 of 2) via eventscript.cgi. Incorrect Access Control in mod_inetd.cgi in VIVOTEK Network Camera Series products with firmware before XXXXXX-VVTK-0X09a allows remote attackers to enable arbitrary system services via a URL parameter. VIVOTEK IP Camera devices with firmware before 0x20x have a stack-based buffer overflow via a crafted HTTP header.Īn authentication bypass vulnerability in VIVOTEK IPCam versions prior to 0x13a was found.Ĭross-site scripting in syslog.html in VIVOTEK Network Camera Series products with firmware 0x06x to 0x08x allows remote attackers to execute arbitrary JavaScript code via an HTTP Referer Header.Ĭross-site scripting in event_script.js in VIVOTEK Network Camera Series products with firmware 0x06x to 0x08x allows remote attackers to execute arbitrary JavaScript via a URL query string parameter. VIVOTEK IP Camera devices with firmware before 0x20x allow a denial of service via a crafted HTTP header. For example, this affects IT9388-HT devices. Testserver.cgi of the web service on VIVOTEK Network Cameras before .01x (and before XXXXX-VVTK-0XXXX_Beta2) allows an authenticated user to obtain arbitrary files from a camera's local filesystem. VIVOTEK Network Cameras before .01x (and before XXXXX-VVTK-0XXXX_Beta2) allows an authenticated user to upload and execute a script (with resultant execution of OS commands). ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |