Back

CVE-2024-8956

Sept. 17, 2024, 8:15 p.m.

Received
CVE has been recently published to the CVE List and has been received by the NVD.

Products

PTZOptics PT30X-SDI/NDI-xx

  • before firmware 6.3.40

Source

disclosure@vulncheck.com

Tags

CWE-287
disclosure@vulncheck.com
2024-09-17
CVE-2024-8956

CVE-2024-8956 details

Published : Sept. 17, 2024, 8:15 p.m.
Last Modified : Sept. 17, 2024, 8:15 p.m.

Description

PTZOptics PT30X-SDI/NDI-xx before firmware 6.3.40 is vulnerable to an insufficient authentication issue. The camera does not properly enforce authentication to /cgi-bin/param.cgi when requests are sent without an HTTP Authorization header. The result is a remote and unauthenticated attacker can leak sensitive data such as usernames, password hashes, and configurations details. Additionally, the attacker can update individual configuration values or overwrite the whole file.

CVSS Score

1 2 3 4 5 6 7 8 9.1 10

Weakness

Weakness Name Description
CWE-287 Improper Authentication When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

CVSS Data

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

Base Score

9.1

Exploitability Score

3.9

Impact Score

5.2

Base Severity

CRITICAL

Vector String : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References

URL Source
https://ptzoptics.com/firmware-changelog/ disclosure@vulncheck.com
https://vulncheck.com/advisories/ptzoptics-insufficient-auth disclosure@vulncheck.com
This website uses the NVD API, but is not approved or certified by it.