CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-12553 – GeoVision GV-ASManager Missing Authorization Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2024-12553
GeoVision GV-ASManager Missing Authorization Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of GeoVision GV-ASManager. Although authentication is required to exploit this vulnerability, default guest credentials may be used. The specific flaw exists within the GV-ASWeb service. The issue results from the lack of authorization prior to allowing access to functionality. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. • https://www.zerodayinitiative.com/advisories/ZDI-24-1682 • CWE-862: Missing Authorization •
CVSS: 9.8EPSS: 0%CPEs: 5EXPL: 1CVE-2024-11120 – GeoVision EOL devices - OS Command Injection
https://notcve.org/view.php?id=CVE-2024-11120
Certain EOL GeoVision devices have an OS Command Injection vulnerability. Unauthenticated remote attackers can exploit this vulnerability to inject and execute arbitrary system commands on the device. Moreover, this vulnerability has already been exploited by attackers, and we have received related reports. • https://github.com/FoKiiin/CVE-2024-11120 https://www.twcert.org.tw/en/cp-139-8237-26d7a-2.html https://www.twcert.org.tw/tw/cp-132-8236-d4836-1.html • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.8EPSS: 0%CPEs: 20EXPL: 0CVE-2024-6047 – GeoVision EOL device - OS Command Injection
https://notcve.org/view.php?id=CVE-2024-6047
Certain EOL GeoVision devices fail to properly filter user input for the specific functionality. Unauthenticated remote attackers can exploit this vulnerability to inject and execute arbitrary system commands on the device. Ciertos dispositivos EOL GeoVision no filtran adecuadamente la entrada del usuario para la funcionalidad específica. Los atacantes remotos no autenticados pueden aprovechar esta vulnerabilidad para inyectar y ejecutar comandos arbitrarios del sistema en el dispositivo. • https://www.twcert.org.tw/en/cp-139-7884-c5a8b-2.html https://www.twcert.org.tw/tw/cp-132-7883-f5635-1.html • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2023-3638 – GeoVision GV-ADR2701 Improper Authentication
https://notcve.org/view.php?id=CVE-2023-3638
In GeoVision GV-ADR2701 cameras, an attacker could edit the login response to access the web application. • https://www.cisa.gov/news-events/ics-advisories/icsa-23-199-05 • CWE-287: Improper Authentication •
CVSS: 9.8EPSS: 1%CPEs: 1EXPL: 0CVE-2023-23059
https://notcve.org/view.php?id=CVE-2023-23059
An issue was discovered in GeoVision GV-Edge Recording Manager 2.2.3.0 for windows, which contains improper permissions within the default installation and allows attackers to execute arbitrary code and gain escalated privileges. • http://geovision.com http://gv-edge.com https://packetstormsecurity.com/files/172141/GV-Edge-Recording-Manager-2.2.3.0-Privilege-Escalation.html • CWE-276: Incorrect Default Permissions •