CVSS: 6.5EPSS: 0%CPEs: 9EXPL: 1CVE-2016-15038 – NUUO NVRmini 2 deletefile.php path traversal
https://notcve.org/view.php?id=CVE-2016-15038
A vulnerability, which was classified as critical, was found in NUUO NVRmini 2 up to 3.0.8. Affected is an unknown function of the file /deletefile.php. The manipulation of the argument filename leads to path traversal. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. • https://vuldb.com/?ctiid.258780 https://vuldb.com/?id.258780 https://www.exploit-db.com/exploits/40214 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 1CVE-2022-33119
https://notcve.org/view.php?id=CVE-2022-33119
NUUO Network Video Recorder NVRsolo v03.06.02 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via login.php. Se ha detectado que NUUO Network Video Recorder NVRsolo versión v03.06.02, contenía una vulnerabilidad de tipo cross-site scripting (XSS) reflejada por medio del archivo login.php • https://github.com/badboycxcc/nuuo-xss/blob/main/README.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-25521
https://notcve.org/view.php?id=CVE-2022-25521
NUUO v03.11.00 was discovered to contain access control issue. Se ha detectado que NUUO v03.11.00 contiene un problema de control de acceso. • http://nuuo.com https://medium.com/%40dnyaneshgawande111/use-of-default-credentials-to-unauthorised-remote-access-of-internal-panel-of-network-video-5490d107fa0 • CWE-798: Use of Hard-coded Credentials •
CVSS: 10.0EPSS: 5%CPEs: 2EXPL: 3CVE-2022-23227
https://notcve.org/view.php?id=CVE-2022-23227
NUUO NVRmini2 through 3.11 allows an unauthenticated attacker to upload an encrypted TAR archive, which can be abused to add arbitrary users because of the lack of handle_import_user.php authentication. When combined with another flaw (CVE-2011-5325), it is possible to overwrite arbitrary files under the web root and achieve code execution as root. NUUO NVRmini2 versiones hasta 3.11, permite a un atacante no autenticado subir un archivo TAR encriptado, que puede ser abusado para añadir usuarios arbitrarios debido a la falta de autenticación del archivo handle_import_user.php. Cuando es combinado con otro fallo (CVE-2011-5325), es posible sobrescribir archivos arbitrarios bajo el root de la web y lograr la ejecución de código como root • https://github.com/pedrib/PoC/blob/master/advisories/NUUO/nuuo_nvrmini_round2.mkd https://github.com/rapid7/metasploit-framework/pull/16044 https://news.ycombinator.com/item?id=29936569 https://portswigger.net/daily-swig/researcher-discloses-alleged-zero-day-vulnerabilities-in-nuuo-nvrmini2-recording-device • CWE-306: Missing Authentication for Critical Function •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 1CVE-2021-45812
https://notcve.org/view.php?id=CVE-2021-45812
NUUO Network Video Recorder NVRsolo 3.9.1 is affected by a Cross Site Scripting (XSS) vulnerability. An attacker can steal the user's session by injecting malicious JavaScript codes which leads to session hijacking. NUUO Network Video Recorder NVRsolo versión 3.9.1, está afectado por una vulnerabilidad de tipo Cross Site Scripting (XSS). Un atacante puede robar la sesión del usuario mediante la inyección de códigos JavaScript maliciosos que conlleva a un secuestro de la sesión • https://drive.google.com/drive/folders/18YCKzFnS5CZRmzgcwc8g7jvLpmqgy68B?usp=sharing • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •