NUUO NVRmini2 up to and including 3.11 allows an unauthenticated malicious user to upload an encrypted TAR archive, which can be abused to add arbitrary users because of the lack of handle_import_user.php authentication. When combined with another flaw (CVE-2011-5325), it is possible to overwrite arbitrary files under the web root and achieve code execution as root.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
nuuo nvrmini2_firmware |