CVSS: 9.8EPSS: 0%CPEs: 24EXPL: 0CVE-2023-28808
https://notcve.org/view.php?id=CVE-2023-28808
Some Hikvision Hybrid SAN/Cluster Storage products have an access control vulnerability which can be used to obtain the admin permission. The attacker can exploit the vulnerability by sending crafted messages to the affected devices. • https://www.hikvision.com/en/support/cybersecurity/security-advisory/security-vulnerability-in-some-hikvision-hybrid-san-cluster-stor • CWE-284: Improper Access Control •
CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 0CVE-2022-28173
https://notcve.org/view.php?id=CVE-2022-28173
The web server of some Hikvision wireless bridge products have an access control vulnerability which can be used to obtain the admin permission. The attacker can exploit the vulnerability by sending crafted messages to the affected devices. • https://www.hikvision.com/en/support/cybersecurity/security-advisory/access-control-vulnerability-in-some-hikvision-wireless-bridge-products • CWE-284: Improper Access Control •
CVSS: 6.5EPSS: 0%CPEs: 26EXPL: 0CVE-2022-28172
https://notcve.org/view.php?id=CVE-2022-28172
The web module in some Hikvision Hybrid SAN/Cluster Storage products have the following security vulnerability. Due to the insufficient input validation, attacker can exploit the vulnerability to XSS attack by sending messages with malicious commands to the affected device. El módulo web de algunos productos Hikvision Hybrid SAN/Cluster Storage presenta la siguiente vulnerabilidad de seguridad. Debido a una insuficiente comprobación de entrada, un atacante puede aprovechar la vulnerabilidad para realizar un ataque de tipo XSS mediante el envío de mensajes con comandos maliciosos al dispositivo afectado • http://packetstormsecurity.com/files/170818/Hikvision-Remote-Code-Execution-XSS-SQL-Injection.html https://www.hikvision.com/en/support/cybersecurity/security-advisory/security-vulnerability-in-some-hikvision-hybrid-san-products • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 22%CPEs: 26EXPL: 3CVE-2022-28171 – Hikvision Hybrid SAN Ds-a71024 Firmware - Multiple Remote Code Execution
https://notcve.org/view.php?id=CVE-2022-28171
The web module in some Hikvision Hybrid SAN/Cluster Storage products have the following security vulnerability. Due to the insufficient input validation, attacker can exploit the vulnerability to execute restricted commands by sending messages with malicious commands to the affected device. El módulo web de algunos productos Hikvision Hybrid SAN/Cluster Storage presenta la siguiente vulnerabilidad de seguridad. Debido a una insuficiente comprobación de entrada, el atacante puede explotar la vulnerabilidad para ejecutar comandos restringidos mediante el envío de mensajes con comandos maliciosos al dispositivo afectado Hikvision Hybrid SAN Ds-a71024 firmware suffers from a remote blind SQL injection vulnerability. • https://www.exploit-db.com/exploits/51607 https://github.com/NyaMeeEain/CVE-2022-28171-POC http://packetstormsecurity.com/files/170818/Hikvision-Remote-Code-Execution-XSS-SQL-Injection.html http://packetstormsecurity.com/files/173653/Hikvision-Hybrid-SAN-Ds-a71024-SQL-Injection.html https://www.hikvision.com/en/support/cybersecurity/security-advisory/security-vulnerability-in-some-hikvision-hybrid-san-products • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.8EPSS: 97%CPEs: 610EXPL: 10CVE-2021-36260 – Hikvision Improper Input Validation
https://notcve.org/view.php?id=CVE-2021-36260
A command injection vulnerability in the web server of some Hikvision product. Due to the insufficient input validation, attacker can exploit the vulnerability to launch a command injection attack by sending some messages with malicious commands. Una vulnerabilidad de inyección de comandos en el servidor web de algunos productos de Hikvision. Debido a una comprobación de entrada insuficiente, un atacante puede explotar la vulnerabilidad para lanzar un ataque de inyección de comandos mediante el envío de algunos mensajes con comandos maliciosos Hikvision Web Server Build 210702 suffers from a command injection vulnerability. A command injection vulnerability in the web server of some Hikvision product. • https://www.exploit-db.com/exploits/50441 https://github.com/Aiminsun/CVE-2021-36260 https://github.com/Cuerz/CVE-2021-36260 https://github.com/rabbitsafe/CVE-2021-36260 https://github.com/TaroballzChen/CVE-2021-36260-metasploit https://github.com/TakenoSite/Simple-CVE-2021-36260 https://github.com/haingn/HIK-CVE-2021-36260-Exploit http://packetstormsecurity.com/files/164603/Hikvision-Web-Server-Build-210702-Command-Injection.html http://packetstormsecurity.com/files/166167/Hikvision-IP-Camera • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •