CVSS: 9.8EPSS: 92%CPEs: 30EXPL: 3CVE-2023-6895 – Hikvision Intercom Broadcasting System ping.php os command injection
https://notcve.org/view.php?id=CVE-2023-6895
A vulnerability was found in Hikvision Intercom Broadcasting System 3.0.3_20201113_RELEASE(HIK). It has been declared as critical. This vulnerability affects unknown code of the file /php/ping.php. The manipulation of the argument jsondata[ip] with the input netstat -ano leads to os command injection. The exploit has been disclosed to the public and may be used. • https://github.com/FuBoLuSec/CVE-2023-6895 https://github.com/nles-crt/CVE-2023-6895 https://github.com/willchen0011/cve/blob/main/rce.md https://vuldb.com/?ctiid.248254 https://vuldb.com/?id.248254 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 6.5EPSS: 0%CPEs: 30EXPL: 1CVE-2023-6894 – Hikvision Intercom Broadcasting System Log File system.html information disclosure
https://notcve.org/view.php?id=CVE-2023-6894
A vulnerability was found in Hikvision Intercom Broadcasting System 3.0.3_20201113_RELEASE(HIK). It has been classified as problematic. This affects an unknown part of the file access/html/system.html of the component Log File Handler. The manipulation leads to information disclosure. The exploit has been disclosed to the public and may be used. • https://github.com/willchen0011/cve/blob/main/unaccess.md https://vuldb.com/?ctiid.248253 https://vuldb.com/?id.248253 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 0%CPEs: 30EXPL: 1CVE-2023-6893 – Hikvision Intercom Broadcasting System exportrecord.php path traversal
https://notcve.org/view.php?id=CVE-2023-6893
A vulnerability was found in Hikvision Intercom Broadcasting System 3.0.3_20201113_RELEASE(HIK) and classified as problematic. Affected by this issue is some unknown functionality of the file /php/exportrecord.php. The manipulation of the argument downname with the input C:\ICPAS\Wnmp\WWW\php\conversion.php leads to path traversal. The exploit has been disclosed to the public and may be used. Upgrading to version 4.1.0 is able to address this issue. • https://github.com/willchen0011/cve/blob/main/download.md https://vuldb.com/?ctiid.248252 https://vuldb.com/?id.248252 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 4.3EPSS: 0%CPEs: 74EXPL: 1CVE-2023-28810
https://notcve.org/view.php?id=CVE-2023-28810
Some access control/intercom products have unauthorized modification of device network configuration vulnerabilities. Attackers can modify device network configuration by sending specific data packets to the vulnerable interface within the same local network. Algunos productos de control de acceso/intercomunicación tienen vulnerabilidades de modificación no autorizada de la configuración de red del dispositivo. Los atacantes pueden modificar la configuración de red del dispositivo enviando paquetes de datos específicos a la interfaz vulnerable dentro de la misma red local. • https://github.com/skylightcyber/CVE-2023-28810 https://www.hikvision.com/en/support/cybersecurity/security-advisory/security-vulnerability-in-some-hikvision-access-control-intercom • CWE-284: Improper Access Control •