Vulnerability CVE-2019-14457


Published: 2019-09-10

Description:
VIVOTEK IP Camera devices with firmware before 0x20x have a stack-based buffer overflow via a crafted HTTP header.

Type:

CWE-120

(Buffer Copy without Checking Size of Input ('Classic Buffer Overflow'))

Vendor: Vivotek
Product: Camera 

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
7.5/10
6.4/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial

 References:
http://download.vivotek.com/downloadfile/support/cyber-security/vvtk-sa-2019-002-v1.pdf

Related CVE
CVE-2019-14458
VIVOTEK IP Camera devices with firmware before 0x20x allow a denial of service via a crafted HTTP header.
CVE-2019-10256
An authentication bypass vulnerability in VIVOTEK IPCam versions prior to 0x13a was found.
CVE-2018-14496
** DISPUTED ** Vivotek FD8136 devices allow remote memory corruption and remote code execution because of a stack-based buffer overflow, related to sprintf, vlocal_buff_4326, and set_getparam.cgi. NOTE: The vendor has disputed this as a vulnerability...
CVE-2018-14495
** DISPUTED ** Vivotek FD8136 devices allow Remote Command Injection, aka "another command injection vulnerability in our target device," a different issue than CVE-2018-14494. NOTE: The vendor has disputed this as a vulnerability and states that the...
CVE-2018-14494
** DISPUTED ** Vivotek FD8136 devices allow Remote Command Injection, related to BusyBox and wget. NOTE: the vendor sent a clarification on 2019-09-17 explaining that, although this CVE was first populated in July 2019, it is a historical vulnerabili...
CVE-2018-18244
Cross-site scripting in syslog.html in VIVOTEK Network Camera Series products with firmware 0x06x to 0x08x allows remote attackers to execute arbitrary JavaScript code via an HTTP Referer Header.
CVE-2018-18005
Cross-site scripting in event_script.js in VIVOTEK Network Camera Series products with firmware 0x06x to 0x08x allows remote attackers to execute arbitrary JavaScript via a URL query string parameter.
CVE-2018-18004
Incorrect Access Control in mod_inetd.cgi in VIVOTEK Network Camera Series products with firmware before XXXXXX-VVTK-0X09a allows remote attackers to enable arbitrary system services via a URL parameter.

Copyright 2019, cxsecurity.com

 

Back to Top