Sign-up

ID

VAR-201709-1246


TITLE

Zhejiang Dahua Intelligent Operation and Maintenance Management System Has SQL Injection and Arbitrary Traversal Download Vulnerabilities

Trust: 0.6

sources: CNVD: CNVD-2017-20985

DESCRIPTION

Zhejiang Dahua Intelligent Operation and Maintenance Platform is based on the video surveillance field of the security industry. It uses intelligent analysis, fault detection and workflow engine technologies to integrate functions such as video quality diagnostics, video inspection and equipment status detection. Circulation processing, statistical reports, and other functions that are suitable for the user's business, achieve the goals of unattended, standardized management, and quantitative assessment, thereby minimizing the labor costs of video surveillance system operation and maintenance, improving the level of operation and maintenance, and ensuring the safe and reliable operation of the system . The Zhejiang Dahua Intelligent Operation and Maintenance Management System has SQL injection and arbitrary file traversal download vulnerabilities. Attackers can use this vulnerability to obtain arbitrary contents of the database, download arbitrary files on the server, and even upload webshells.

Trust: 0.6

sources: CNVD: CNVD-2017-20985

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2017-20985

AFFECTED PRODUCTS

vendor:dahuamodel:intelligent operation and maintenance management systemscope: - version: -

Trust: 0.6

sources: CNVD: CNVD-2017-20985

CVSS

SEVERITY

CVSSV2

CVSSV3

CNVD: CNVD-2017-20985
value: HIGH

Trust: 0.6

CNVD: CNVD-2017-20985
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

sources: CNVD: CNVD-2017-20985

PATCH

title:Zhejiang Dahua Intelligent Operation and Maintenance Management System SQL Injection and Arbitrary Traversal Download Vulnerabilityurl:https://www.cnvd.org.cn/patchinfo/show/99655

Trust: 0.6

sources: CNVD: CNVD-2017-20985

EXTERNAL IDS

db:CNVDid:CNVD-2017-20985

Trust: 0.6

sources: CNVD: CNVD-2017-20985

SOURCES

db:CNVDid:CNVD-2017-20985

LAST UPDATE DATE

2022-05-04T10:16:10.040000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2017-20985date:2017-11-19T00:00:00

SOURCES RELEASE DATE

db:CNVDid:CNVD-2017-20985date:2017-09-17T00:00:00