cgi-bin/cgi_main in NUUO NVRmini 2 1.7.6 up to and including 3.0.0 and NETGEAR ReadyNAS Surveillance 1.1.2 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the sn parameter to the transfer_license command.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
nuuo nvrmini 2 3.0.0 |
||
nuuo nvrmini 2 2.2.1 |
||
nuuo nvrmini 2 2.0.0 |
||
nuuo nvrmini 2 1.7.6 |
||
netgear readynas surveillance 1.1.2 |
Kit from NUUO, Netgear has face-palm grade stoopid
There are multiple Web interface vulnerabilities in a network video recorder under Netgear's ReadyNAS brand and various devices by video recording company NUUO. The affected NUUO units are NVRmini 2, NVRsolo, and Crystal. The CERT advisory lists six Common Vulnerabilities and Exposures (CVE) notices attacked to the affected products, ranging from input validation issues to buffer overruns. Under CVE-2016-5674, there's a hidden page in the Web management interface that looks like someone wrote it...