CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-28813
https://notcve.org/view.php?id=CVE-2023-28813
23 Nov 2023 — An attacker could exploit a vulnerability by sending crafted messages to computers installed with this plug-in to modify plug-in parameters, which could cause affected computers to download malicious files. Un atacante podría aprovechar una vulnerabilidad enviando mensajes manipulados a las maquinas instaladas con este complemento para modificar los parámetros del complemento, lo que podría provocar que las maquinas afectadas descarguen archivos maliciosos. • https://www.hikvision.com/en/support/cybersecurity/security-advisory/security-vulnerabilities-in-hikvision-web-browser-plug-in-locals •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-28812
https://notcve.org/view.php?id=CVE-2023-28812
23 Nov 2023 — There is a buffer overflow vulnerability in a web browser plug-in could allow an attacker to exploit the vulnerability by sending crafted messages to computers installed with this plug-in, which could lead to arbitrary code execution or cause process exception of the plug-in. Existe una vulnerabilidad de desbordamiento del búfer en un complemento del navegador web que podría permitir que un atacante aproveche la vulnerabilidad enviando mensajes manipulados a las maquinas instaladas con este complemento, lo ... • https://www.hikvision.com/en/support/cybersecurity/security-advisory/security-vulnerabilities-in-hikvision-web-browser-plug-in-locals • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVSS: 7.4EPSS: 0%CPEs: 79EXPL: 0CVE-2023-28811
https://notcve.org/view.php?id=CVE-2023-28811
23 Nov 2023 — There is a buffer overflow in the password recovery feature of Hikvision NVR/DVR models. If exploited, an attacker on the same local area network (LAN) could cause the device to malfunction by sending specially crafted packets to an unpatched device. Hay un desbordamiento del búfer en la función de recuperación de contraseña de los modelos NVR/DVR de Hikvision. Si se explota, un atacante en la misma red de área local (LAN) podría provocar un mal funcionamiento del dispositivo al enviar paquetes especialment... • https://www.hikvision.com/en/support/cybersecurity/security-advisory/buffer-overflow-vulnerability-in-hikvision-nvr-dvr-devices • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVSS: 7.6EPSS: 0%CPEs: 52EXPL: 0CVE-2023-28809 – Hikvision Access Control Session Hijacking
https://notcve.org/view.php?id=CVE-2023-28809
15 Jun 2023 — Some access control products are vulnerable to a session hijacking attack because the product does not update the session ID after a user successfully logs in. To exploit the vulnerability, attackers have to request the session ID at the same time as a valid user logs in, and gain device operation permissions by forging the IP and session ID of an authenticated user. Remote attackers can steal valid authentication session identifiers of Hikvision Access Control/Intercom Products. This is possible because a ... • http://packetstormsecurity.com/files/174506/Hikvision-Access-Control-Session-Hijacking.html • CWE-284: Improper Access Control CWE-384: Session Fixation •
CVSS: 4.3EPSS: 0%CPEs: 74EXPL: 1CVE-2023-28810
https://notcve.org/view.php?id=CVE-2023-28810
15 Jun 2023 — Some access control/intercom products have unauthorized modification of device network configuration vulnerabilities. Attackers can modify device network configuration by sending specific data packets to the vulnerable interface within the same local network. Algunos productos de control de acceso/intercomunicación tienen vulnerabilidades de modificación no autorizada de la configuración de red del dispositivo. Los atacantes pueden modificar la configuración de red del dispositivo enviando paquetes de datos... • https://github.com/skylightcyber/CVE-2023-28810 • CWE-284: Improper Access Control •
CVSS: 10.0EPSS: 0%CPEs: 24EXPL: 0CVE-2023-28808
https://notcve.org/view.php?id=CVE-2023-28808
11 Apr 2023 — Some Hikvision Hybrid SAN/Cluster Storage products have an access control vulnerability which can be used to obtain the admin permission. The attacker can exploit the vulnerability by sending crafted messages to the affected devices. • https://www.hikvision.com/en/support/cybersecurity/security-advisory/security-vulnerability-in-some-hikvision-hybrid-san-cluster-stor • CWE-284: Improper Access Control •
CVSS: 10.0EPSS: 0%CPEs: 4EXPL: 0CVE-2022-28173
https://notcve.org/view.php?id=CVE-2022-28173
19 Dec 2022 — The web server of some Hikvision wireless bridge products have an access control vulnerability which can be used to obtain the admin permission. The attacker can exploit the vulnerability by sending crafted messages to the affected devices. • https://www.hikvision.com/en/support/cybersecurity/security-advisory/access-control-vulnerability-in-some-hikvision-wireless-bridge-products • CWE-284: Improper Access Control •
CVSS: 6.5EPSS: 0%CPEs: 26EXPL: 0CVE-2022-28172
https://notcve.org/view.php?id=CVE-2022-28172
27 Jun 2022 — The web module in some Hikvision Hybrid SAN/Cluster Storage products have the following security vulnerability. Due to the insufficient input validation, attacker can exploit the vulnerability to XSS attack by sending messages with malicious commands to the affected device. El módulo web de algunos productos Hikvision Hybrid SAN/Cluster Storage presenta la siguiente vulnerabilidad de seguridad. Debido a una insuficiente comprobación de entrada, un atacante puede aprovechar la vulnerabilidad para realizar un... • http://packetstormsecurity.com/files/170818/Hikvision-Remote-Code-Execution-XSS-SQL-Injection.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 16%CPEs: 26EXPL: 4CVE-2022-28171 – Hikvision Hybrid SAN Ds-a71024 Firmware - Multiple Remote Code Execution
https://notcve.org/view.php?id=CVE-2022-28171
27 Jun 2022 — The web module in some Hikvision Hybrid SAN/Cluster Storage products have the following security vulnerability. Due to the insufficient input validation, attacker can exploit the vulnerability to execute restricted commands by sending messages with malicious commands to the affected device. El módulo web de algunos productos Hikvision Hybrid SAN/Cluster Storage presenta la siguiente vulnerabilidad de seguridad. Debido a una insuficiente comprobación de entrada, el atacante puede explotar la vulnerabilidad p... • https://www.exploit-db.com/exploits/51607 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.8EPSS: 97%CPEs: 610EXPL: 13CVE-2021-36260 – Hikvision Improper Input Validation
https://notcve.org/view.php?id=CVE-2021-36260
22 Sep 2021 — A command injection vulnerability in the web server of some Hikvision product. Due to the insufficient input validation, attacker can exploit the vulnerability to launch a command injection attack by sending some messages with malicious commands. Una vulnerabilidad de inyección de comandos en el servidor web de algunos productos de Hikvision. Debido a una comprobación de entrada insuficiente, un atacante puede explotar la vulnerabilidad para lanzar un ataque de inyección de comandos mediante el envío de alg... • https://www.exploit-db.com/exploits/50441 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •