cgi-bin/cgi_system in NUUO NVRmini 2 1.7.5 up to and including 2.x, NUUO NVRsolo 1.7.5 up to and including 2.x, and NETGEAR ReadyNAS Surveillance 1.1.1 up to and including 1.4.1 allows remote malicious users to reset the administrator password via a cmd=loaddefconfig action.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
netgear readynas surveillance 1.4.2 |
||
netgear readynas surveillance 1.4.0 |
||
netgear readynas surveillance 1.4.1 |
||
netgear readynas surveillance 1.1.1 |
||
netgear readynas surveillance 1.1.2 |
||
netgear readynas surveillance 1.3.2.14 |
||
netgear readynas surveillance 1.2.0.4 |
||
netgear readynas surveillance 1.3.2.4 |
||
nuuo nvrsolo 3.0.0 |
||
nuuo nvrsolo 2.1.5 |
||
nuuo nvrsolo 2.0.1 |
||
nuuo nvrsolo 2.3 |
||
nuuo nvrsolo 2.2.2 |
||
nuuo nvrsolo 2.3.9.6 |
||
nuuo nvrsolo 2.3.7.10 |
||
nuuo nvrsolo 2.0.0 |
||
nuuo nvrsolo 1.75 |
||
nuuo nvrsolo 2.3.7.9 |
||
nuuo nvrsolo 2.3.1.20 |
||
nuuo nvrmini 2 1.7.6 |
||
nuuo nvrmini 2 1.7.5 |
||
nuuo nvrmini 2 2.2.1 |
||
nuuo nvrmini 2 2.0.0 |
||
nuuo nvrmini 2 3.0.0 |
Kit from NUUO, Netgear has face-palm grade stoopid
There are multiple Web interface vulnerabilities in a network video recorder under Netgear's ReadyNAS brand and various devices by video recording company NUUO. The affected NUUO units are NVRmini 2, NVRsolo, and Crystal. The CERT advisory lists six Common Vulnerabilities and Exposures (CVE) notices attacked to the affected products, ranging from input validation issues to buffer overruns. Under CVE-2016-5674, there's a hidden page in the Web management interface that looks like someone wrote it...