CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47486
https://notcve.org/view.php?id=CVE-2024-47486
18 Oct 2024 — There is an XSS vulnerability in some HikCentral Master Lite versions. If exploited, an attacker could inject scripts into certain pages by building malicious data. Existe una vulnerabilidad XSS en algunas versiones de HikCentral Master Lite. Si se aprovecha, un atacante podría inyectar scripts en determinadas páginas mediante la creación de datos maliciosos. • https://www.hikvision.com/en/support/cybersecurity/security-advisory/security-vulnerabilities-in-hikcentral-product-series • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47487
https://notcve.org/view.php?id=CVE-2024-47487
18 Oct 2024 — There is a SQL injection vulnerability in some HikCentral Professional versions. This could allow an authenticated user to execute arbitrary SQL queries. Existe una vulnerabilidad de inyección SQL en algunas versiones profesionales de HikCentral. Esto podría permitir que un usuario autenticado ejecute consultas SQL arbitrarias. • https://www.hikvision.com/en/support/cybersecurity/security-advisory/security-vulnerabilities-in-hikcentral-product-series •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47485
https://notcve.org/view.php?id=CVE-2024-47485
18 Oct 2024 — There is a CSV injection vulnerability in some HikCentral Master Lite versions. If exploited, an attacker could build malicious data to generate executable commands in the CSV file. Existe una vulnerabilidad de inyección de CSV en algunas versiones de HikCentral Master Lite. Si se aprovecha, un atacante podría crear datos maliciosos para generar comandos ejecutables en el archivo CSV. • https://www.hikvision.com/en/support/cybersecurity/security-advisory/security-vulnerabilities-in-hikcentral-product-series •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-33806
https://notcve.org/view.php?id=CVE-2023-33806
15 Apr 2024 — Insecure default configurations in Hikvision Interactive Tablet DS-D5B86RB/B V2.3.0 build220119, allows attackers to execute arbitrary commands. Las configuraciones predeterminadas inseguras en Hikvision Interactive Tablet DS-D5B86RB/B V2.3.0 build220119 permiten a los atacantes ejecutar comandos arbitrarios. • https://gist.github.com/s4fv4n/5a6374cf1dcad85226566eaa325a710d • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 8.7EPSS: 0%CPEs: 12EXPL: 0CVE-2024-29949
https://notcve.org/view.php?id=CVE-2024-29949
02 Apr 2024 — There is a command injection vulnerability in some Hikvision NVRs. This could allow an authenticated user with administrative rights to execute arbitrary commands. Existe una vulnerabilidad de inyección de comandos en algunos NVR de Hikvision. Esto podría permitir que un usuario autenticado con derechos administrativos ejecute comandos arbitrarios. • https://www.hikvision.com/en/support/cybersecurity/security-advisory/security-vulnerabilities-in-hikvision-nvr-devices • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-25064
https://notcve.org/view.php?id=CVE-2024-25064
02 Mar 2024 — Due to insufficient server-side validation, an attacker with login privileges could access certain resources that the attacker should not have access to by changing parameter values. • https://www.hikvision.com/en/support/cybersecurity/security-advisory/security-vulnerabilities-in-hikcentral-professional •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-25063
https://notcve.org/view.php?id=CVE-2024-25063
02 Mar 2024 — Due to insufficient server-side validation, a successful exploit of this vulnerability could allow an attacker to gain access to certain URLs that the attacker should not have access to. • https://www.hikvision.com/en/support/cybersecurity/security-advisory/security-vulnerabilities-in-hikcentral-professional •
CVSS: 9.8EPSS: 92%CPEs: 30EXPL: 3CVE-2023-6895 – Hikvision Intercom Broadcasting System ping.php os command injection
https://notcve.org/view.php?id=CVE-2023-6895
17 Dec 2023 — A vulnerability was found in Hikvision Intercom Broadcasting System 3.0.3_20201113_RELEASE(HIK). It has been declared as critical. This vulnerability affects unknown code of the file /php/ping.php. The manipulation of the argument jsondata[ip] with the input netstat -ano leads to os command injection. The exploit has been disclosed to the public and may be used. • https://github.com/FuBoLuSec/CVE-2023-6895 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 6.5EPSS: 0%CPEs: 30EXPL: 1CVE-2023-6894 – Hikvision Intercom Broadcasting System Log File system.html information disclosure
https://notcve.org/view.php?id=CVE-2023-6894
17 Dec 2023 — A vulnerability was found in Hikvision Intercom Broadcasting System 3.0.3_20201113_RELEASE(HIK). It has been classified as problematic. This affects an unknown part of the file access/html/system.html of the component Log File Handler. The manipulation leads to information disclosure. The exploit has been disclosed to the public and may be used. • https://github.com/willchen0011/cve/blob/main/unaccess.md • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 0%CPEs: 30EXPL: 1CVE-2023-6893 – Hikvision Intercom Broadcasting System exportrecord.php path traversal
https://notcve.org/view.php?id=CVE-2023-6893
17 Dec 2023 — A vulnerability was found in Hikvision Intercom Broadcasting System 3.0.3_20201113_RELEASE(HIK) and classified as problematic. Affected by this issue is some unknown functionality of the file /php/exportrecord.php. The manipulation of the argument downname with the input C:\ICPAS\Wnmp\WWW\php\conversion.php leads to path traversal. The exploit has been disclosed to the public and may be used. Upgrading to version 4.1.0 is able to address this issue. • https://github.com/willchen0011/cve/blob/main/download.md • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •