CVSS: 8.8EPSS: 0%CPEs: 18EXPL: 0CVE-2019-9679
https://notcve.org/view.php?id=CVE-2019-9679
Some of Dahua's Debug functions do not have permission separation. Low-privileged users can use the Debug function after logging in. Affected products include: IPC-HDW1X2X,IPC-HFW1X2X,IPC-HDW2X2X,IPC-HFW2X2X,IPC-HDW4X2X,IPC-HFW4X2X,IPC-HDBW4X2X,IPC-HDW5X2X,IPC-HFW5X2X for versions which Build time is before August 18,2019. Algunas de las funciones de Depuración de Dahua no poseen separación de permisos. Usuarios poco privilegiados pueden usar la función de Depuración después de iniciar sesión. • https://www.dahuasecurity.com/support/cybersecurity/details/637 • CWE-276: Incorrect Default Permissions •
CVSS: 5.3EPSS: 0%CPEs: 18EXPL: 0CVE-2019-9681
https://notcve.org/view.php?id=CVE-2019-9681
Online upgrade information in some firmware packages of Dahua products is not encrypted. Attackers can obtain this information by analyzing firmware packages by specific means. Affected products include: IPC-HDW1X2X,IPC-HFW1X2X,IPC-HDW2X2X,IPC-HFW2X2X,IPC-HDW4X2X,IPC-HFW4X2X,IPC-HDBW4X2X,IPC-HDW5X2X,IPC-HFW5X2X for versions which Build time is before August 18,2019. La información de actualización en línea en algunos paquetes de firmware de productos Dahua no está encriptada. Los atacantes pueden obtener esta información mediante el análisis de paquetes de firmware por medios específicos. • https://www.dahuasecurity.com/support/cybersecurity/details/637 • CWE-311: Missing Encryption of Sensitive Data •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2019-9676
https://notcve.org/view.php?id=CVE-2019-9676
Buffer overflow vulnerability found in some Dahua IP Camera devices IPC-HFW1XXX,IPC-HDW1XXX,IPC-HFW2XXX Build before 2018/11. The vulnerability exits in the function of redirection display for serial port printing information, which can not be used by product basic functions. After an attacker logs in locally, this vulnerability can be exploited to cause device restart or arbitrary code execution. Dahua has identified the corresponding security problems in the static code auditing process, so it has gradually deleted this function, which is no longer available in the newer devices and softwares. Dahua has released versions of the affected products to fix the vulnerability. • https://www.dahuasecurity.com/support/cybersecurity/details/617 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 9.8EPSS: 1%CPEs: 4EXPL: 0CVE-2017-3223 – Dahua IP camera products using firmware versions prior to V2.400.0000.14.R.20170713 include a version of the Sonia web interface that may be vulnerable to a stack buffer overflow
https://notcve.org/view.php?id=CVE-2017-3223
Dahua IP camera products using firmware versions prior to V2.400.0000.14.R.20170713 include a version of the Sonia web interface that may be vulnerable to a stack buffer overflow. Dahua IP camera products include an application known as Sonia (/usr/bin/sonia) that provides the web interface and other services for controlling the IP camera remotely. Versions of Sonia included in firmware versions prior to DH_IPC-Consumer-Zi-Themis_Eng_P_V2.408.0000.11.R.20170621 do not validate input data length for the 'password' field of the web interface. A remote, unauthenticated attacker may submit a crafted POST request to the IP camera's Sonia web interface that may lead to out-of-bounds memory operations and loss of availability or remote code execution. The issue was originally identified by the researcher in firmware version DH_IPC-HX1X2X-Themis_EngSpnFrn_N_V2.400.0000.30.R.20160803. • http://www.securityfocus.com/bid/99620 https://www.kb.cert.org/vuls/id/547255 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-121: Stack-based Buffer Overflow •
CVSS: 8.8EPSS: 0%CPEs: 16EXPL: 0CVE-2017-9317
https://notcve.org/view.php?id=CVE-2017-9317
Privilege escalation vulnerability found in some Dahua IP devices. Attacker in possession of low privilege account can gain access to credential information of high privilege account and further obtain device information or attack the device. Se ha encontrado una vulnerabilidad de escalado de privilegios en algunos dispositivos Dahua IP. Un atacante en posesión de una cuenta con bajos privilegios puede obtener acceso a información de credenciales de una cuenta con altos privilegios y obtener información sobre el dispositivo o atacarlo. • https://www.dahuasecurity.com/support/cybersecurity/annoucementNotice/337 •