Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
6 vulnerabilities by AVer
CVE-2026-40624 (GCVE-0-2026-40624)
Vulnerability from cvelistv5 – Published: 2026-06-18 23:54 – Updated: 2026-06-22 14:55
VLAI
Title
AVer PTC cameras Files or Directories Accessible to External Parties
Summary
Improper input validation in AVer PTC500S, PTC115, PTC500+, and PTC115+
cameras may allow a remote, unauthenticated attacker to achieve
arbitrary code execution via a specially crafted web request.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40624",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-22T14:54:49.993670Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T14:55:00.712Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PTC500S",
"vendor": "AVer",
"versions": [
{
"status": "affected",
"version": "*"
}
]
},
{
"defaultStatus": "unaffected",
"product": "PTC115",
"vendor": "AVer",
"versions": [
{
"status": "affected",
"version": "*"
}
]
},
{
"defaultStatus": "unaffected",
"product": "PTC500+",
"vendor": "AVer",
"versions": [
{
"status": "affected",
"version": "*"
}
]
},
{
"defaultStatus": "unaffected",
"product": "PTC115+",
"vendor": "AVer",
"versions": [
{
"status": "affected",
"version": "*"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "fj016 reported this vulnerability to CISA."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper input validation in AVer PTC500S, PTC115, PTC500+, and PTC115+ \ncameras may allow a remote, unauthenticated attacker to achieve \narbitrary code execution via a specially crafted web request."
}
],
"value": "Improper input validation in AVer PTC500S, PTC115, PTC500+, and PTC115+ \ncameras may allow a remote, unauthenticated attacker to achieve \narbitrary code execution via a specially crafted web request."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-552",
"description": "CWE-552",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T23:54:51.183Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-169-01"
},
{
"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-169-01.json"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "AVer has provided a firmware fix to address this vulnerability; users \ncan find it at the following location:\u0026nbsp;\u003cbr\u003e\u003ca href=\"https://presentation.aver.com/DownloadFile.aspx?n=6617%7C1C01A887-7CDC-4C96-AD9A-11D53DE1AD71\u0026amp;t=ServiceDownload\"\u003ehttps://presentation.aver.com/DownloadFile.aspx?n=6617%7C1C01A887-7CDC-4C96-AD9A-11D53DE1AD71\u0026amp;t=ServiceDownload\u003c/a\u003e"
}
],
"value": "AVer has provided a firmware fix to address this vulnerability; users \ncan find it at the following location:\u00a0\n https://presentation.aver.com/DownloadFile.aspx?n=6617%7C1C01A887-7CDC-4C96-AD9A-11D53DE1AD71\u0026t=ServiceDownload"
}
],
"source": {
"advisory": "ICSA-26-169-01",
"discovery": "EXTERNAL"
},
"title": "AVer PTC cameras Files or Directories Accessible to External Parties",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2026-40624",
"datePublished": "2026-06-18T23:54:51.183Z",
"dateReserved": "2026-05-07T16:55:26.076Z",
"dateUpdated": "2026-06-22T14:55:00.712Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-27055 (GCVE-0-2023-27055)
Vulnerability from cvelistv5 – Published: 2023-03-24 00:00 – Updated: 2025-02-21 19:27
VLAI
Summary
Aver Information Inc PTZApp2 v20.01044.48 allows attackers to access sensitive files via a crafted GET request.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- n/a
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
1 reference
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T12:01:32.114Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/StolidWaffle/AVer-PTZApp2"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-27055",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-21T19:25:38.533068Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-21T19:27:02.737Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Aver Information Inc PTZApp2 v20.01044.48 allows attackers to access sensitive files via a crafted GET request."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-24T00:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/StolidWaffle/AVer-PTZApp2"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-27055",
"datePublished": "2023-03-24T00:00:00.000Z",
"dateReserved": "2023-02-27T00:00:00.000Z",
"dateUpdated": "2025-02-21T19:27:02.737Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
VAR-201609-0101
Vulnerability from variot - Updated: 2023-12-18 12:51AVer Information EH6108H+ devices with firmware X9.03.24.00.07l have hardcoded accounts, which allows remote attackers to obtain root access by leveraging knowledge of the credentials and establishing a TELNET session. AVer Information EH6108H+ hybrid DVR, version X9.03.24.00.07l and possibly earlier, reportedly contains multiple vulnerabilities, including undocumented privileged accounts, authentication bypass, and information exposure. Supplementary information : CWE Vulnerability type by CWE-798: Use of Hard-coded Credentials ( Using hard-coded credentials ) Has been identified. AVerInformationEH6108H+hybridDVRVU is a DVR product from AVerInformation. An attacker can exploit the vulnerability to gain root privileges. 2. An authentication-bypass vulnerability. 3. An information-disclosure vulnerability. AVer Information EH6108H+ X9.03.24.00.07l and prior are vulnerable. The vulnerability stems from the fact that the program contains hard-coded accounts. Version X9.03.24.00.07l and possibly earlier are reported to contain multiple vulnerabilities. Both accounts have root privileges and may be used to gain access via an undocumented telnet service that cannot be disabled through the web user interface and runs by default.
CWE-302: Authentication Bypass by Assumed-Immutable Data - CVE-2016-6536
By guessing the handle parameter of the /setup page of the web interface, an unauthenticated attacker reportedly may be able to access restricted pages and alter DVR configurations or change user passwords.
CWE-200: Information Exposure - CVE-2016-6537
User credentials are reported to be stored and transmitted in an insecure manner. In the configuration page of the web interface, passwords are stored in base64-encoded strings. In client requests, credentials are listed in plain text in the cookie header.
For more information, refer to the researcher's disclosure.
Solution:
The CERT/CC is currently unaware of a practical solution to this problem and recommends the following workaround.
Restrict access
As a general good security practice, only allow connections from trusted hosts and networks.
References:
http://surveillance.aver.com/model/embedded-hybrid-DVR-EH6108H-plus/
https://www.appsecconsulting.com/blog/easy-root-on-aver-eh6108h-hybrid-dvr-a nd-more
https://cwe.mitre.org/data/definitions/798.html
https://cwe.mitre.org/data/definitions/302.html
https://cwe.mitre.org/data/definitions/200.html
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201609-0101",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "eh6108h\\+",
"scope": "eq",
"trust": 1.6,
"vendor": "aver",
"version": "x9.03.24.00.07l"
},
{
"model": "information eh6108h+ hybrid dvr x9.03.24.00.07l",
"scope": null,
"trust": 0.9,
"vendor": "aver",
"version": null
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "aver information",
"version": null
},
{
"model": "eh6108h+",
"scope": null,
"trust": 0.8,
"vendor": "aver information",
"version": null
},
{
"model": "eh6108h+",
"scope": "eq",
"trust": 0.8,
"vendor": "aver information",
"version": "x9.03.24.00.07l"
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#667480"
},
{
"db": "CNVD",
"id": "CNVD-2016-07570"
},
{
"db": "BID",
"id": "92936"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-004815"
},
{
"db": "NVD",
"id": "CVE-2016-6535"
},
{
"db": "CNNVD",
"id": "CNNVD-201609-276"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:aver:eh6108h\\+_firmware:x9.03.24.00.07l:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:aver:eh6108h\\+:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2016-6535"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Travis Lee",
"sources": [
{
"db": "BID",
"id": "92936"
},
{
"db": "PACKETSTORM",
"id": "138875"
},
{
"db": "CNNVD",
"id": "CNNVD-201609-276"
}
],
"trust": 1.0
},
"cve": "CVE-2016-6535",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Complete",
"baseScore": 10.0,
"confidentialityImpact": "Complete",
"exploitabilityScore": null,
"id": "CVE-2016-6535",
"impactScore": null,
"integrityImpact": "Complete",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "High",
"trust": 0.9,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"id": "CNVD-2016-07570",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"id": "VHN-95355",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.1,
"vectorString": "AV:N/AC:L/AU:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 9.8,
"baseSeverity": "Critical",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2016-6535",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2016-6535",
"trust": 1.8,
"value": "CRITICAL"
},
{
"author": "CNVD",
"id": "CNVD-2016-07570",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-201609-276",
"trust": 0.6,
"value": "CRITICAL"
},
{
"author": "VULHUB",
"id": "VHN-95355",
"trust": 0.1,
"value": "HIGH"
},
{
"author": "VULMON",
"id": "CVE-2016-6535",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2016-07570"
},
{
"db": "VULHUB",
"id": "VHN-95355"
},
{
"db": "VULMON",
"id": "CVE-2016-6535"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-004815"
},
{
"db": "NVD",
"id": "CVE-2016-6535"
},
{
"db": "CNNVD",
"id": "CNNVD-201609-276"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "AVer Information EH6108H+ devices with firmware X9.03.24.00.07l have hardcoded accounts, which allows remote attackers to obtain root access by leveraging knowledge of the credentials and establishing a TELNET session. AVer Information EH6108H+ hybrid DVR, version X9.03.24.00.07l and possibly earlier, reportedly contains multiple vulnerabilities, including undocumented privileged accounts, authentication bypass, and information exposure. Supplementary information : CWE Vulnerability type by CWE-798: Use of Hard-coded Credentials ( Using hard-coded credentials ) Has been identified. AVerInformationEH6108H+hybridDVRVU is a DVR product from AVerInformation. An attacker can exploit the vulnerability to gain root privileges. \n2. An authentication-bypass vulnerability. \n3. An information-disclosure vulnerability. \nAVer Information EH6108H+ X9.03.24.00.07l and prior are vulnerable. The vulnerability stems from the fact that the program contains hard-coded accounts. Version X9.03.24.00.07l and possibly\nearlier are reported to contain multiple vulnerabilities. Both accounts have root privileges and may be used to\ngain access via an undocumented telnet service that cannot be disabled\nthrough the web user interface and runs by default. \n\n \n\nCWE-302: Authentication Bypass by Assumed-Immutable Data - CVE-2016-6536\n\n \n\nBy guessing the handle parameter of the /setup page of the web interface, an\nunauthenticated attacker reportedly may be able to access restricted pages\nand alter DVR configurations or change user passwords. \n\n \n\nCWE-200: Information Exposure - CVE-2016-6537\n\n \n\nUser credentials are reported to be stored and transmitted in an insecure\nmanner. In the configuration page of the web interface, passwords are stored\nin base64-encoded strings. In client requests, credentials are listed in\nplain text in the cookie header. \n\n \n\nFor more information, refer to the researcher\u0027s disclosure. \n\n \n\nSolution:\n\nThe CERT/CC is currently unaware of a practical solution to this problem and\nrecommends the following workaround. \n\nRestrict access\n\n \n\nAs a general good security practice, only allow connections from trusted\nhosts and networks. \n\n \n\nReferences:\n\nhttp://surveillance.aver.com/model/embedded-hybrid-DVR-EH6108H-plus/\n\nhttps://www.appsecconsulting.com/blog/easy-root-on-aver-eh6108h-hybrid-dvr-a\nnd-more\n\nhttps://cwe.mitre.org/data/definitions/798.html\n\nhttps://cwe.mitre.org/data/definitions/302.html\n\nhttps://cwe.mitre.org/data/definitions/200.html\n\n\n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2016-6535"
},
{
"db": "CERT/CC",
"id": "VU#667480"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-004815"
},
{
"db": "CNVD",
"id": "CNVD-2016-07570"
},
{
"db": "BID",
"id": "92936"
},
{
"db": "VULHUB",
"id": "VHN-95355"
},
{
"db": "VULMON",
"id": "CVE-2016-6535"
},
{
"db": "PACKETSTORM",
"id": "138875"
}
],
"trust": 3.42
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "CERT/CC",
"id": "VU#667480",
"trust": 4.4
},
{
"db": "NVD",
"id": "CVE-2016-6535",
"trust": 3.6
},
{
"db": "BID",
"id": "92936",
"trust": 2.7
},
{
"db": "JVN",
"id": "JVNVU95660277",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2016-004815",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201609-276",
"trust": 0.7
},
{
"db": "CNVD",
"id": "CNVD-2016-07570",
"trust": 0.6
},
{
"db": "PACKETSTORM",
"id": "138875",
"trust": 0.3
},
{
"db": "VULHUB",
"id": "VHN-95355",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2016-6535",
"trust": 0.1
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#667480"
},
{
"db": "CNVD",
"id": "CNVD-2016-07570"
},
{
"db": "VULHUB",
"id": "VHN-95355"
},
{
"db": "VULMON",
"id": "CVE-2016-6535"
},
{
"db": "BID",
"id": "92936"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-004815"
},
{
"db": "PACKETSTORM",
"id": "138875"
},
{
"db": "NVD",
"id": "CVE-2016-6535"
},
{
"db": "CNNVD",
"id": "CNNVD-201609-276"
}
]
},
"id": "VAR-201609-0101",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2016-07570"
},
{
"db": "VULHUB",
"id": "VHN-95355"
}
],
"trust": 1.575
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2016-07570"
}
]
},
"last_update_date": "2023-12-18T12:51:30.654000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "EH6108H Series - NVRs and Surveillance Software",
"trust": 0.8,
"url": "http://surveillance.aver.com/model/embedded-hybrid-dvr-eh6108h-plus/"
},
{
"title": "Threatpost",
"trust": 0.1,
"url": "https://threatpost.com/new-mirai-variant-carries-out-54-hour-ddos-attacks/124660/"
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2016-6535"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-004815"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-798",
"trust": 1.1
},
{
"problemtype": "CWE-Other",
"trust": 0.8
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-95355"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-004815"
},
{
"db": "NVD",
"id": "CVE-2016-6535"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 3.7,
"url": "http://www.kb.cert.org/vuls/id/667480"
},
{
"trust": 2.5,
"url": "http://www.securityfocus.com/bid/92936"
},
{
"trust": 1.6,
"url": "https://www.appsecconsulting.com/blog/easy-root-on-aver-eh6108h-hybrid-dvr-and-more"
},
{
"trust": 1.0,
"url": "https://cwe.mitre.org/data/definitions/798.html"
},
{
"trust": 0.9,
"url": "http://surveillance.aver.com/model/embedded-hybrid-dvr-eh6108h-plus/"
},
{
"trust": 0.9,
"url": "https://cwe.mitre.org/data/definitions/302.html"
},
{
"trust": 0.9,
"url": "https://cwe.mitre.org/data/definitions/200.html"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-6535"
},
{
"trust": 0.8,
"url": "http://jvn.jp/vu/jvnvu95660277/index.html"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-6535"
},
{
"trust": 0.6,
"url": "http://news.softpedia.com/news/here-s-another-vulnerable-dvr-system-ready-to-become-a-ddos-botnet-508298.shtml"
},
{
"trust": 0.3,
"url": "http://surveillance.aver.com/model/embedded-hybrid-dvr-eh6108h-plus"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://packetstormsecurity.com/files/138875/aver-information-eh6108h-authentication-bypass-inforation-exposure.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2016-6537"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2016-6535"
},
{
"trust": 0.1,
"url": "https://www.appsecconsulting.com/blog/easy-root-on-aver-eh6108h-hybrid-dvr-a"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2016-6536"
},
{
"trust": 0.1,
"url": "https://www.appsecconsulting.com/blog/easy-root-on-aver-eh6108h-hybrid-dvr-"
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#667480"
},
{
"db": "CNVD",
"id": "CNVD-2016-07570"
},
{
"db": "VULHUB",
"id": "VHN-95355"
},
{
"db": "VULMON",
"id": "CVE-2016-6535"
},
{
"db": "BID",
"id": "92936"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-004815"
},
{
"db": "PACKETSTORM",
"id": "138875"
},
{
"db": "NVD",
"id": "CVE-2016-6535"
},
{
"db": "CNNVD",
"id": "CNNVD-201609-276"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CERT/CC",
"id": "VU#667480"
},
{
"db": "CNVD",
"id": "CNVD-2016-07570"
},
{
"db": "VULHUB",
"id": "VHN-95355"
},
{
"db": "VULMON",
"id": "CVE-2016-6535"
},
{
"db": "BID",
"id": "92936"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-004815"
},
{
"db": "PACKETSTORM",
"id": "138875"
},
{
"db": "NVD",
"id": "CVE-2016-6535"
},
{
"db": "CNNVD",
"id": "CNNVD-201609-276"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2016-09-13T00:00:00",
"db": "CERT/CC",
"id": "VU#667480"
},
{
"date": "2016-09-18T00:00:00",
"db": "CNVD",
"id": "CNVD-2016-07570"
},
{
"date": "2016-09-19T00:00:00",
"db": "VULHUB",
"id": "VHN-95355"
},
{
"date": "2016-09-19T00:00:00",
"db": "VULMON",
"id": "CVE-2016-6535"
},
{
"date": "2016-09-13T00:00:00",
"db": "BID",
"id": "92936"
},
{
"date": "2016-09-26T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2016-004815"
},
{
"date": "2016-09-27T16:32:22",
"db": "PACKETSTORM",
"id": "138875"
},
{
"date": "2016-09-19T01:59:07.400000",
"db": "NVD",
"id": "CVE-2016-6535"
},
{
"date": "2016-09-14T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201609-276"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2016-09-22T00:00:00",
"db": "CERT/CC",
"id": "VU#667480"
},
{
"date": "2018-03-06T00:00:00",
"db": "CNVD",
"id": "CNVD-2016-07570"
},
{
"date": "2016-11-28T00:00:00",
"db": "VULHUB",
"id": "VHN-95355"
},
{
"date": "2016-11-28T00:00:00",
"db": "VULMON",
"id": "CVE-2016-6535"
},
{
"date": "2016-09-13T00:00:00",
"db": "BID",
"id": "92936"
},
{
"date": "2016-09-26T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2016-004815"
},
{
"date": "2016-11-28T20:33:36.970000",
"db": "NVD",
"id": "CVE-2016-6535"
},
{
"date": "2016-09-19T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201609-276"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201609-276"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "AVer Information EH6108H+ hybrid DVR contains multiple vulnerabilities",
"sources": [
{
"db": "CERT/CC",
"id": "VU#667480"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "lack of information",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201609-276"
}
],
"trust": 0.6
}
}
VAR-201609-0102
Vulnerability from variot - Updated: 2023-12-18 12:51The /setup URI on AVer Information EH6108H+ devices with firmware X9.03.24.00.07l allows remote attackers to bypass intended page-access restrictions or modify passwords by leveraging knowledge of a handle parameter value. AVer Information EH6108H+ hybrid DVR, version X9.03.24.00.07l and possibly earlier, reportedly contains multiple vulnerabilities, including undocumented privileged accounts, authentication bypass, and information exposure. In addition, JVNVU#95660277 Then CWE-302 It is published as CWE-302: Authentication Bypass by Assumed-Immutable Data http://cwe.mitre.org/data/definitions/302.htmlBy a third party handle By using the value of the parameter, you may be able to bypass the access restriction of the page or change the password. AVerInformationEH6108H+hybridDVRVU is a DVR product from AVerInformation. AVerInformationEH6108H+hybridDVRVU has a certification bypass vulnerability. A hard coded credentials vulnerability. 2. An authentication-bypass vulnerability. 3. An information-disclosure vulnerability. Attackers may exploit these issues to gain unauthorized access to restricted content by bypassing intended security restrictions or to obtain sensitive information and gain root privileges. AVer Information EH6108H+ X9.03.24.00.07l and prior are vulnerable. Version X9.03.24.00.07l and possibly earlier are reported to contain multiple vulnerabilities. Both accounts have root privileges and may be used to gain access via an undocumented telnet service that cannot be disabled through the web user interface and runs by default.
CWE-200: Information Exposure - CVE-2016-6537
User credentials are reported to be stored and transmitted in an insecure manner. In the configuration page of the web interface, passwords are stored in base64-encoded strings. In client requests, credentials are listed in plain text in the cookie header.
For more information, refer to the researcher's disclosure.
Solution:
The CERT/CC is currently unaware of a practical solution to this problem and recommends the following workaround.
Restrict access
As a general good security practice, only allow connections from trusted hosts and networks.
References:
http://surveillance.aver.com/model/embedded-hybrid-DVR-EH6108H-plus/
https://www.appsecconsulting.com/blog/easy-root-on-aver-eh6108h-hybrid-dvr-a nd-more
https://cwe.mitre.org/data/definitions/798.html
https://cwe.mitre.org/data/definitions/302.html
https://cwe.mitre.org/data/definitions/200.html
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201609-0102",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "eh6108h\\+",
"scope": "lte",
"trust": 1.0,
"vendor": "aver",
"version": "x9.03.24.00.07l"
},
{
"model": "information eh6108h+ hybrid dvr x9.03.24.00.07l",
"scope": null,
"trust": 0.9,
"vendor": "aver",
"version": null
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "aver information",
"version": null
},
{
"model": "eh6108h+",
"scope": null,
"trust": 0.8,
"vendor": "aver information",
"version": null
},
{
"model": "eh6108h+",
"scope": "eq",
"trust": 0.8,
"vendor": "aver information",
"version": "x9.03.24.00.07l"
},
{
"model": "eh6108h\\+",
"scope": "eq",
"trust": 0.6,
"vendor": "aver",
"version": "x9.03.24.00.07l"
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#667480"
},
{
"db": "CNVD",
"id": "CNVD-2016-07571"
},
{
"db": "BID",
"id": "92936"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-004816"
},
{
"db": "NVD",
"id": "CVE-2016-6536"
},
{
"db": "CNNVD",
"id": "CNNVD-201609-277"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:aver:eh6108h\\+_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "x9.03.24.00.07l",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:aver:eh6108h\\+:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2016-6536"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Travis Lee",
"sources": [
{
"db": "BID",
"id": "92936"
},
{
"db": "PACKETSTORM",
"id": "138875"
},
{
"db": "CNNVD",
"id": "CNNVD-201609-277"
}
],
"trust": 1.0
},
"cve": "CVE-2016-6536",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Complete",
"baseScore": 10.0,
"confidentialityImpact": "Complete",
"exploitabilityScore": null,
"id": "CVE-2016-6536",
"impactScore": null,
"integrityImpact": "Complete",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "High",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"id": "CNVD-2016-07571",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"id": "VHN-95356",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.1,
"vectorString": "AV:N/AC:L/AU:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 9.8,
"baseSeverity": "Critical",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2016-6536",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2016-6536",
"trust": 1.8,
"value": "CRITICAL"
},
{
"author": "CNVD",
"id": "CNVD-2016-07571",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-201609-277",
"trust": 0.6,
"value": "CRITICAL"
},
{
"author": "VULHUB",
"id": "VHN-95356",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2016-07571"
},
{
"db": "VULHUB",
"id": "VHN-95356"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-004816"
},
{
"db": "NVD",
"id": "CVE-2016-6536"
},
{
"db": "CNNVD",
"id": "CNNVD-201609-277"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "The /setup URI on AVer Information EH6108H+ devices with firmware X9.03.24.00.07l allows remote attackers to bypass intended page-access restrictions or modify passwords by leveraging knowledge of a handle parameter value. AVer Information EH6108H+ hybrid DVR, version X9.03.24.00.07l and possibly earlier, reportedly contains multiple vulnerabilities, including undocumented privileged accounts, authentication bypass, and information exposure. In addition, JVNVU#95660277 Then CWE-302 It is published as CWE-302: Authentication Bypass by Assumed-Immutable Data http://cwe.mitre.org/data/definitions/302.htmlBy a third party handle By using the value of the parameter, you may be able to bypass the access restriction of the page or change the password. AVerInformationEH6108H+hybridDVRVU is a DVR product from AVerInformation. AVerInformationEH6108H+hybridDVRVU has a certification bypass vulnerability. A hard coded credentials vulnerability. \n2. An authentication-bypass vulnerability. \n3. An information-disclosure vulnerability. \nAttackers may exploit these issues to gain unauthorized access to restricted content by bypassing intended security restrictions or to obtain sensitive information and gain root privileges. \nAVer Information EH6108H+ X9.03.24.00.07l and prior are vulnerable. Version X9.03.24.00.07l and possibly\nearlier are reported to contain multiple vulnerabilities. Both accounts have root privileges and may be used to\ngain access via an undocumented telnet service that cannot be disabled\nthrough the web user interface and runs by default. \n\n \n\nCWE-200: Information Exposure - CVE-2016-6537\n\n \n\nUser credentials are reported to be stored and transmitted in an insecure\nmanner. In the configuration page of the web interface, passwords are stored\nin base64-encoded strings. In client requests, credentials are listed in\nplain text in the cookie header. \n\n \n\nFor more information, refer to the researcher\u0027s disclosure. \n\n \n\nSolution:\n\nThe CERT/CC is currently unaware of a practical solution to this problem and\nrecommends the following workaround. \n\nRestrict access\n\n \n\nAs a general good security practice, only allow connections from trusted\nhosts and networks. \n\n \n\nReferences:\n\nhttp://surveillance.aver.com/model/embedded-hybrid-DVR-EH6108H-plus/\n\nhttps://www.appsecconsulting.com/blog/easy-root-on-aver-eh6108h-hybrid-dvr-a\nnd-more\n\nhttps://cwe.mitre.org/data/definitions/798.html\n\nhttps://cwe.mitre.org/data/definitions/302.html\n\nhttps://cwe.mitre.org/data/definitions/200.html\n\n\n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2016-6536"
},
{
"db": "CERT/CC",
"id": "VU#667480"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-004816"
},
{
"db": "CNVD",
"id": "CNVD-2016-07571"
},
{
"db": "BID",
"id": "92936"
},
{
"db": "VULHUB",
"id": "VHN-95356"
},
{
"db": "PACKETSTORM",
"id": "138875"
}
],
"trust": 3.33
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "CERT/CC",
"id": "VU#667480",
"trust": 4.3
},
{
"db": "NVD",
"id": "CVE-2016-6536",
"trust": 3.5
},
{
"db": "BID",
"id": "92936",
"trust": 2.6
},
{
"db": "JVN",
"id": "JVNVU95660277",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2016-004816",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201609-277",
"trust": 0.7
},
{
"db": "CNVD",
"id": "CNVD-2016-07571",
"trust": 0.6
},
{
"db": "VULHUB",
"id": "VHN-95356",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "138875",
"trust": 0.1
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#667480"
},
{
"db": "CNVD",
"id": "CNVD-2016-07571"
},
{
"db": "VULHUB",
"id": "VHN-95356"
},
{
"db": "BID",
"id": "92936"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-004816"
},
{
"db": "PACKETSTORM",
"id": "138875"
},
{
"db": "NVD",
"id": "CVE-2016-6536"
},
{
"db": "CNNVD",
"id": "CNNVD-201609-277"
}
]
},
"id": "VAR-201609-0102",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2016-07571"
},
{
"db": "VULHUB",
"id": "VHN-95356"
}
],
"trust": 1.575
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2016-07571"
}
]
},
"last_update_date": "2023-12-18T12:51:30.613000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "EH6108H Series - NVRs and Surveillance Software",
"trust": 0.8,
"url": "http://surveillance.aver.com/model/embedded-hybrid-dvr-eh6108h-plus/"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2016-004816"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-264",
"trust": 1.9
},
{
"problemtype": "CWE-Other",
"trust": 0.8
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-95356"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-004816"
},
{
"db": "NVD",
"id": "CVE-2016-6536"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 3.5,
"url": "http://www.kb.cert.org/vuls/id/667480"
},
{
"trust": 2.3,
"url": "http://www.securityfocus.com/bid/92936"
},
{
"trust": 1.6,
"url": "https://www.appsecconsulting.com/blog/easy-root-on-aver-eh6108h-hybrid-dvr-and-more"
},
{
"trust": 0.9,
"url": "http://surveillance.aver.com/model/embedded-hybrid-dvr-eh6108h-plus/"
},
{
"trust": 0.9,
"url": "https://cwe.mitre.org/data/definitions/798.html"
},
{
"trust": 0.9,
"url": "https://cwe.mitre.org/data/definitions/302.html"
},
{
"trust": 0.9,
"url": "https://cwe.mitre.org/data/definitions/200.html"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-6536"
},
{
"trust": 0.8,
"url": "http://jvn.jp/vu/jvnvu95660277/index.html"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-6536"
},
{
"trust": 0.6,
"url": "http://news.softpedia.com/news/here-s-another-vulnerable-dvr-system-ready-to-become-a-ddos-botnet-508298.shtml"
},
{
"trust": 0.3,
"url": "http://surveillance.aver.com/model/embedded-hybrid-dvr-eh6108h-plus"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2016-6537"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2016-6535"
},
{
"trust": 0.1,
"url": "https://www.appsecconsulting.com/blog/easy-root-on-aver-eh6108h-hybrid-dvr-a"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2016-6536"
},
{
"trust": 0.1,
"url": "https://www.appsecconsulting.com/blog/easy-root-on-aver-eh6108h-hybrid-dvr-"
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#667480"
},
{
"db": "CNVD",
"id": "CNVD-2016-07571"
},
{
"db": "VULHUB",
"id": "VHN-95356"
},
{
"db": "BID",
"id": "92936"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-004816"
},
{
"db": "PACKETSTORM",
"id": "138875"
},
{
"db": "NVD",
"id": "CVE-2016-6536"
},
{
"db": "CNNVD",
"id": "CNNVD-201609-277"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CERT/CC",
"id": "VU#667480"
},
{
"db": "CNVD",
"id": "CNVD-2016-07571"
},
{
"db": "VULHUB",
"id": "VHN-95356"
},
{
"db": "BID",
"id": "92936"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-004816"
},
{
"db": "PACKETSTORM",
"id": "138875"
},
{
"db": "NVD",
"id": "CVE-2016-6536"
},
{
"db": "CNNVD",
"id": "CNNVD-201609-277"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2016-09-13T00:00:00",
"db": "CERT/CC",
"id": "VU#667480"
},
{
"date": "2016-09-18T00:00:00",
"db": "CNVD",
"id": "CNVD-2016-07571"
},
{
"date": "2016-09-19T00:00:00",
"db": "VULHUB",
"id": "VHN-95356"
},
{
"date": "2016-09-13T00:00:00",
"db": "BID",
"id": "92936"
},
{
"date": "2016-09-26T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2016-004816"
},
{
"date": "2016-09-27T16:32:22",
"db": "PACKETSTORM",
"id": "138875"
},
{
"date": "2016-09-19T01:59:08.400000",
"db": "NVD",
"id": "CVE-2016-6536"
},
{
"date": "2016-09-14T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201609-277"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2016-09-22T00:00:00",
"db": "CERT/CC",
"id": "VU#667480"
},
{
"date": "2016-09-18T00:00:00",
"db": "CNVD",
"id": "CNVD-2016-07571"
},
{
"date": "2016-11-28T00:00:00",
"db": "VULHUB",
"id": "VHN-95356"
},
{
"date": "2016-09-13T00:00:00",
"db": "BID",
"id": "92936"
},
{
"date": "2016-09-26T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2016-004816"
},
{
"date": "2016-11-28T20:33:37.987000",
"db": "NVD",
"id": "CVE-2016-6536"
},
{
"date": "2016-09-19T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201609-277"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201609-277"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "AVer Information EH6108H+ hybrid DVR contains multiple vulnerabilities",
"sources": [
{
"db": "CERT/CC",
"id": "VU#667480"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "permissions and access control",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201609-277"
}
],
"trust": 0.6
}
}
VAR-201609-0103
Vulnerability from variot - Updated: 2023-12-18 12:51AVer Information EH6108H+ devices with firmware X9.03.24.00.07l store passwords in a cleartext base64 format and require cleartext credentials in HTTP Cookie headers, which allows context-dependent attacks to obtain sensitive information by reading these strings. AVer Information EH6108H+ hybrid DVR, version X9.03.24.00.07l and possibly earlier, reportedly contains multiple vulnerabilities, including undocumented privileged accounts, authentication bypass, and information exposure. AVerInformationEH6108H+hybridDVRVU is a DVR product from AVerInformation. AVerInformationEH6108H+hybridDVR has an information disclosure vulnerability. Attackers can exploit vulnerabilities to obtain sensitive information. A hard coded credentials vulnerability. 2. 3. AVer Information EH6108H+ X9.03.24.00.07l and prior are vulnerable. Version X9.03.24.00.07l and possibly earlier are reported to contain multiple vulnerabilities. Both accounts have root privileges and may be used to gain access via an undocumented telnet service that cannot be disabled through the web user interface and runs by default.
CWE-302: Authentication Bypass by Assumed-Immutable Data - CVE-2016-6536
By guessing the handle parameter of the /setup page of the web interface, an unauthenticated attacker reportedly may be able to access restricted pages and alter DVR configurations or change user passwords.
CWE-200: Information Exposure - CVE-2016-6537
User credentials are reported to be stored and transmitted in an insecure manner. In the configuration page of the web interface, passwords are stored in base64-encoded strings. In client requests, credentials are listed in plain text in the cookie header.
Solution:
The CERT/CC is currently unaware of a practical solution to this problem and recommends the following workaround.
Restrict access
As a general good security practice, only allow connections from trusted hosts and networks.
References:
http://surveillance.aver.com/model/embedded-hybrid-DVR-EH6108H-plus/
https://www.appsecconsulting.com/blog/easy-root-on-aver-eh6108h-hybrid-dvr-a nd-more
https://cwe.mitre.org/data/definitions/798.html
https://cwe.mitre.org/data/definitions/302.html
https://cwe.mitre.org/data/definitions/200.html
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201609-0103",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "eh6108h\\+",
"scope": "eq",
"trust": 1.6,
"vendor": "aver",
"version": "x9.03.24.00.07l"
},
{
"model": "information eh6108h+ hybrid dvr x9.03.24.00.07l",
"scope": null,
"trust": 0.9,
"vendor": "aver",
"version": null
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "aver information",
"version": null
},
{
"model": "eh6108h+",
"scope": null,
"trust": 0.8,
"vendor": "aver information",
"version": null
},
{
"model": "eh6108h+",
"scope": "eq",
"trust": 0.8,
"vendor": "aver information",
"version": "x9.03.24.00.07l"
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#667480"
},
{
"db": "CNVD",
"id": "CNVD-2016-07572"
},
{
"db": "BID",
"id": "92936"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-004817"
},
{
"db": "NVD",
"id": "CVE-2016-6537"
},
{
"db": "CNNVD",
"id": "CNNVD-201609-278"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:aver:eh6108h\\+_firmware:x9.03.24.00.07l:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:aver:eh6108h\\+:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2016-6537"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Travis Lee",
"sources": [
{
"db": "BID",
"id": "92936"
},
{
"db": "PACKETSTORM",
"id": "138875"
},
{
"db": "CNNVD",
"id": "CNNVD-201609-278"
}
],
"trust": 1.0
},
"cve": "CVE-2016-6537",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"integrityImpact": "NONE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 5.0,
"confidentialityImpact": "Partial",
"exploitabilityScore": null,
"id": "CVE-2016-6537",
"impactScore": null,
"integrityImpact": "None",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CNVD-2016-07572",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "VHN-95357",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:N/AC:L/AU:N/C:P/I:N/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 7.5,
"baseSeverity": "High",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2016-6537",
"impactScore": null,
"integrityImpact": "None",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2016-6537",
"trust": 1.8,
"value": "HIGH"
},
{
"author": "CNVD",
"id": "CNVD-2016-07572",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-201609-278",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "VULHUB",
"id": "VHN-95357",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2016-07572"
},
{
"db": "VULHUB",
"id": "VHN-95357"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-004817"
},
{
"db": "NVD",
"id": "CVE-2016-6537"
},
{
"db": "CNNVD",
"id": "CNNVD-201609-278"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "AVer Information EH6108H+ devices with firmware X9.03.24.00.07l store passwords in a cleartext base64 format and require cleartext credentials in HTTP Cookie headers, which allows context-dependent attacks to obtain sensitive information by reading these strings. AVer Information EH6108H+ hybrid DVR, version X9.03.24.00.07l and possibly earlier, reportedly contains multiple vulnerabilities, including undocumented privileged accounts, authentication bypass, and information exposure. AVerInformationEH6108H+hybridDVRVU is a DVR product from AVerInformation. AVerInformationEH6108H+hybridDVR has an information disclosure vulnerability. Attackers can exploit vulnerabilities to obtain sensitive information. A hard coded credentials vulnerability. \n2. \n3. \nAVer Information EH6108H+ X9.03.24.00.07l and prior are vulnerable. Version X9.03.24.00.07l and possibly\nearlier are reported to contain multiple vulnerabilities. Both accounts have root privileges and may be used to\ngain access via an undocumented telnet service that cannot be disabled\nthrough the web user interface and runs by default. \n\n \n\nCWE-302: Authentication Bypass by Assumed-Immutable Data - CVE-2016-6536\n\n \n\nBy guessing the handle parameter of the /setup page of the web interface, an\nunauthenticated attacker reportedly may be able to access restricted pages\nand alter DVR configurations or change user passwords. \n\n \n\nCWE-200: Information Exposure - CVE-2016-6537\n\n \n\nUser credentials are reported to be stored and transmitted in an insecure\nmanner. In the configuration page of the web interface, passwords are stored\nin base64-encoded strings. In client requests, credentials are listed in\nplain text in the cookie header. \n\n \n\nSolution:\n\nThe CERT/CC is currently unaware of a practical solution to this problem and\nrecommends the following workaround. \n\nRestrict access\n\n \n\nAs a general good security practice, only allow connections from trusted\nhosts and networks. \n\n \n\nReferences:\n\nhttp://surveillance.aver.com/model/embedded-hybrid-DVR-EH6108H-plus/\n\nhttps://www.appsecconsulting.com/blog/easy-root-on-aver-eh6108h-hybrid-dvr-a\nnd-more\n\nhttps://cwe.mitre.org/data/definitions/798.html\n\nhttps://cwe.mitre.org/data/definitions/302.html\n\nhttps://cwe.mitre.org/data/definitions/200.html\n\n\n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2016-6537"
},
{
"db": "CERT/CC",
"id": "VU#667480"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-004817"
},
{
"db": "CNVD",
"id": "CNVD-2016-07572"
},
{
"db": "BID",
"id": "92936"
},
{
"db": "VULHUB",
"id": "VHN-95357"
},
{
"db": "PACKETSTORM",
"id": "138875"
}
],
"trust": 3.33
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "CERT/CC",
"id": "VU#667480",
"trust": 4.3
},
{
"db": "NVD",
"id": "CVE-2016-6537",
"trust": 3.5
},
{
"db": "BID",
"id": "92936",
"trust": 2.6
},
{
"db": "JVN",
"id": "JVNVU95660277",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2016-004817",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201609-278",
"trust": 0.7
},
{
"db": "CNVD",
"id": "CNVD-2016-07572",
"trust": 0.6
},
{
"db": "VULHUB",
"id": "VHN-95357",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "138875",
"trust": 0.1
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#667480"
},
{
"db": "CNVD",
"id": "CNVD-2016-07572"
},
{
"db": "VULHUB",
"id": "VHN-95357"
},
{
"db": "BID",
"id": "92936"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-004817"
},
{
"db": "PACKETSTORM",
"id": "138875"
},
{
"db": "NVD",
"id": "CVE-2016-6537"
},
{
"db": "CNNVD",
"id": "CNNVD-201609-278"
}
]
},
"id": "VAR-201609-0103",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2016-07572"
},
{
"db": "VULHUB",
"id": "VHN-95357"
}
],
"trust": 1.575
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2016-07572"
}
]
},
"last_update_date": "2023-12-18T12:51:30.573000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "EH6108H Series - NVRs and Surveillance Software",
"trust": 0.8,
"url": "http://surveillance.aver.com/model/embedded-hybrid-dvr-eh6108h-plus/"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2016-004817"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-200",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-95357"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-004817"
},
{
"db": "NVD",
"id": "CVE-2016-6537"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 3.5,
"url": "http://www.kb.cert.org/vuls/id/667480"
},
{
"trust": 2.3,
"url": "http://www.securityfocus.com/bid/92936"
},
{
"trust": 1.6,
"url": "https://www.appsecconsulting.com/blog/easy-root-on-aver-eh6108h-hybrid-dvr-and-more"
},
{
"trust": 0.9,
"url": "http://surveillance.aver.com/model/embedded-hybrid-dvr-eh6108h-plus/"
},
{
"trust": 0.9,
"url": "https://cwe.mitre.org/data/definitions/798.html"
},
{
"trust": 0.9,
"url": "https://cwe.mitre.org/data/definitions/302.html"
},
{
"trust": 0.9,
"url": "https://cwe.mitre.org/data/definitions/200.html"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-6537"
},
{
"trust": 0.8,
"url": "http://jvn.jp/vu/jvnvu95660277/index.html"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-6537"
},
{
"trust": 0.6,
"url": "http://news.softpedia.com/news/here-s-another-vulnerable-dvr-system-ready-to-become-a-ddos-botnet-508298.shtml"
},
{
"trust": 0.3,
"url": "http://surveillance.aver.com/model/embedded-hybrid-dvr-eh6108h-plus"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2016-6537"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2016-6535"
},
{
"trust": 0.1,
"url": "https://www.appsecconsulting.com/blog/easy-root-on-aver-eh6108h-hybrid-dvr-a"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2016-6536"
},
{
"trust": 0.1,
"url": "https://www.appsecconsulting.com/blog/easy-root-on-aver-eh6108h-hybrid-dvr-"
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#667480"
},
{
"db": "CNVD",
"id": "CNVD-2016-07572"
},
{
"db": "VULHUB",
"id": "VHN-95357"
},
{
"db": "BID",
"id": "92936"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-004817"
},
{
"db": "PACKETSTORM",
"id": "138875"
},
{
"db": "NVD",
"id": "CVE-2016-6537"
},
{
"db": "CNNVD",
"id": "CNNVD-201609-278"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CERT/CC",
"id": "VU#667480"
},
{
"db": "CNVD",
"id": "CNVD-2016-07572"
},
{
"db": "VULHUB",
"id": "VHN-95357"
},
{
"db": "BID",
"id": "92936"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-004817"
},
{
"db": "PACKETSTORM",
"id": "138875"
},
{
"db": "NVD",
"id": "CVE-2016-6537"
},
{
"db": "CNNVD",
"id": "CNNVD-201609-278"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2016-09-13T00:00:00",
"db": "CERT/CC",
"id": "VU#667480"
},
{
"date": "2016-09-18T00:00:00",
"db": "CNVD",
"id": "CNVD-2016-07572"
},
{
"date": "2016-09-19T00:00:00",
"db": "VULHUB",
"id": "VHN-95357"
},
{
"date": "2016-09-13T00:00:00",
"db": "BID",
"id": "92936"
},
{
"date": "2016-09-26T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2016-004817"
},
{
"date": "2016-09-27T16:32:22",
"db": "PACKETSTORM",
"id": "138875"
},
{
"date": "2016-09-19T01:59:09.383000",
"db": "NVD",
"id": "CVE-2016-6537"
},
{
"date": "2016-09-14T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201609-278"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2016-09-22T00:00:00",
"db": "CERT/CC",
"id": "VU#667480"
},
{
"date": "2016-09-18T00:00:00",
"db": "CNVD",
"id": "CNVD-2016-07572"
},
{
"date": "2016-11-28T00:00:00",
"db": "VULHUB",
"id": "VHN-95357"
},
{
"date": "2016-09-13T00:00:00",
"db": "BID",
"id": "92936"
},
{
"date": "2016-09-26T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2016-004817"
},
{
"date": "2016-11-28T20:33:39.003000",
"db": "NVD",
"id": "CVE-2016-6537"
},
{
"date": "2016-09-19T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201609-278"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201609-278"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "AVer Information EH6108H+ hybrid DVR contains multiple vulnerabilities",
"sources": [
{
"db": "CERT/CC",
"id": "VU#667480"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "information disclosure",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201609-278"
}
],
"trust": 0.6
}
}
CVE-2023-27055 (GCVE-0-2023-27055)
Vulnerability from nvd – Published: 2023-03-24 00:00 – Updated: 2025-02-21 19:27
VLAI
Summary
Aver Information Inc PTZApp2 v20.01044.48 allows attackers to access sensitive files via a crafted GET request.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- n/a
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
1 reference
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T12:01:32.114Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/StolidWaffle/AVer-PTZApp2"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-27055",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-21T19:25:38.533068Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-21T19:27:02.737Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Aver Information Inc PTZApp2 v20.01044.48 allows attackers to access sensitive files via a crafted GET request."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-24T00:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/StolidWaffle/AVer-PTZApp2"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-27055",
"datePublished": "2023-03-24T00:00:00.000Z",
"dateReserved": "2023-02-27T00:00:00.000Z",
"dateUpdated": "2025-02-21T19:27:02.737Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}