CVSS: 10.0EPSS: 1%CPEs: 2EXPL: 1CVE-2019-9653
https://notcve.org/view.php?id=CVE-2019-9653
NUUO Network Video Recorder Firmware 1.7.x through 3.3.x allows unauthenticated attackers to execute arbitrary commands via shell metacharacters to handle_load_config.php. NUUO Network Video Recorder Firmware versión1.7.x hasta 3.3.x, permite a los atacantes no identificados ejecutar comandos arbitrarios por medio de metacaracteres shell en el archivo handle_load_config.php. • https://github.com/grayoneday/CVE-2019-9653 https://www.nccst.nat.gov.tw/NewsRSS?lang=en&RSSType=mssecurity https://www.nuuo.com/DownloadMainpage.php • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 10.0EPSS: 27%CPEs: 1EXPL: 1CVE-2018-19864 – NUUO NVRMini 2 3.9.1 - 'sscanf' Stack Overflow
https://notcve.org/view.php?id=CVE-2018-19864
NUUO NVRmini2 Network Video Recorder firmware through 3.9.1 allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow), resulting in ability to read camera feeds or reconfigure the device. NUUO NVRmini2 Network Video Recorder, con firmware hasta la versión 3.9.1, permite que atacantes remotos ejecuten código arbitrario o provoquen una denegación de servicio (desbordamiento de búfer), lo que resulta en la capacidad de leer los feeds de la cámara o reconfigurar el dispositivo. NUUO NVRMini 2 version 3.9.1 suffers from an sscanf stack overflow vulnerability. • https://www.exploit-db.com/exploits/46960 http://packetstormsecurity.com/files/153162/NUUO-NVRMini-2-3.9.1-Stack-Overflow.html https://www.digitaldefense.com/blog/zero-day-alerts/nuuo-firmware-disclosure https://www.nuuo.com/DownloadMainpage.php • CWE-20: Improper Input Validation CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 9.0EPSS: 9%CPEs: 5EXPL: 3CVE-2018-15716 – NUUO NVRMini2 3.9.1 - (Authenticated) Command Injection
https://notcve.org/view.php?id=CVE-2018-15716
NUUO NVRMini2 version 3.9.1 is vulnerable to authenticated remote command injection. An attacker can send crafted requests to upgrade_handle.php to execute OS commands as root. NUUO NVRMini2 3.9.1 es vulnerable a una inyección de comandos remotos autenticada. Un atacante puede enviar peticiones manipuladas a upgrade_handle.php para ejecutar comandos del sistema operativo como root. NUUO NVRMini2 version 3.9.1 suffers from an authenticated command injection vulnerability. • https://www.exploit-db.com/exploits/45948 http://www.securityfocus.com/bid/106059 https://github.com/tenable/poc/tree/master/nuuo/nvrmini2/cve_2018_15716 https://www.tenable.com/security/research/tra-2018-41 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 8.8EPSS: 7%CPEs: 1EXPL: 1CVE-2018-18982 – Nuuo Central Management - (Authenticated) SQL Server SQL Injection
https://notcve.org/view.php?id=CVE-2018-18982
NUUO CMS All versions 3.3 and prior the web server application allows injection of arbitrary SQL characters, which can be used to inject SQL into an executing statement and allow arbitrary code execution. NUUO CMS, en todas las versiones 3.3 y anteriores, la aplicación del servidor web permite la inyección de caracteres SQL arbitrarios, lo que puede emplearse para inyectar SQL en una instrucción en ejecución y permitir la ejecución de código arbitrario. • https://www.exploit-db.com/exploits/46449 https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 3%CPEs: 1EXPL: 0CVE-2018-17936 – Nuuo Central Management Server 2.4 Authenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2018-17936
NUUO CMS All versions 3.3 and prior the application allows the upload of arbitrary files that can modify or overwrite configuration files to the server, which could allow remote code execution. NUUO CMS, en todas las versiones 3.3 y anteriores, la aplicación permite la subida de archivos arbitrarios que pueden modificar o sobrescribir los archivos de configuración en el servidor, lo que podría permitir la ejecución remota de código. • https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02 • CWE-434: Unrestricted Upload of File with Dangerous Type •