Details of VAR-201712-1128

ID

VAR-201712-1128

TITLE

Uniview NVR Device Full Version Remote Command Execution Vulnerability

Trust: 0.6

sources: CNVD: CNVD-2018-00538

DESCRIPTION

Zhejiang Yushi Technology Co., Ltd. (\"Yushi Technology\") is a video surveillance product and solution provider. A remote command execution vulnerability exists in the full version of UniviewNVR devices. The attacker can exploit the vulnerability to execute arbitrary commands because the background is not fully filtered and the user's input is directly spliced into the command.

Trust: 0.6

sources: CNVD: CNVD-2018-00538

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2018-00538

AFFECTED PRODUCTS

vendor:

yushi

model:

uniview nvr

scope:

version:

Trust: 0.6

sources: CNVD: CNVD-2018-00538

CVSS

SEVERITY

CVSSV2

CVSSV3

CNVD:	CNVD-2018-00538
value:	HIGH
Trust: 0.6

CNVD:	CNVD-2018-00538
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

sources: CNVD: CNVD-2018-00538

EXTERNAL IDS

db:	SEEBUG	id:	SSVID-96950	Trust: 0.6
db:	CNVD	id:	CNVD-2018-00538	Trust: 0.6

sources: CNVD: CNVD-2018-00538

REFERENCES

url:

https://www.seebug.org/vuldb/ssvid-96950

Trust: 0.6

sources: CNVD: CNVD-2018-00538

SOURCES

db:

CNVD

id:

CNVD-2018-00538

LAST UPDATE DATE

2022-05-17T02:10:30.718000+00:00

SOURCES UPDATE DATE

db:

CNVD

id:

CNVD-2018-00538

date:

2018-01-16T00:00:00

SOURCES RELEASE DATE

db:

CNVD

id:

CNVD-2018-00538

date:

2017-12-18T00:00:00