Published: 15/01/2022 Updated: 28/03/2023

CVSS v2 Base Score: 10 | Impact Score: 10 | Exploitability Score: 10

CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9

VMScore: 890

Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

An issue exists on Crestron HD-MD4X2-4K-E 1.0.0.2159 devices. When the administrative web interface of the HDMI switcher is accessed unauthenticated, user credentials are disclosed that are valid to authenticate to the web interface. Specifically, aj.html sends a JSON document with uname and upassword fields.

Vulnerable Product	Search on Vulmon	Subscribe to Product
crestron hd-md4x2-4k-e_firmware 1.0.0.2159

Crestron HD-MD4X2-4K-E version 1002159 suffers from a credential disclosure vulnerability When the administrative web interface of the Crestron HDMI switcher is accessed unauthenticated, user credentials are disclosed which are valid to authenticate to the web interface ...

Full Disclosure mailing list archives   By Date By Thread </form>    [RT-SA-2021-009] Credential Disclosure in Web Interface of Crestron Device  <!--X-Head-of-M ...

Security Vulnerabilities Discovered by me

Vulnerabilities Crestron HD-MD-XX -RCE/ Improper Authentication- CVE-2022-23178 As an AV Technician I take an interest in securing AV devices that I interact with In this process I discovered a vulnerability with the Crestron HD-MD series of "DM-LITE" devices that allows for remote code execution as well as inproper handling of plaintext credentials Here is the off

CWE-287 https://www.redteam-pentesting.de/advisories/rt-sa-2021-009 https://nvd.nist.gov https://github.com/AnthonyTippy/Vulnerabilities https://packetstormsecurity.com/files/165530/Crestron-HD-MD4X2-4K-E-1.0.0.2159-Credential-Disclosure.html

CVE-2022-23178

Vulnerability Summary

Vulnerability Trend

Exploits

Mailing Lists

Github Repositories

References

Vulmon Search

About

Products

Connect