CVSS: 6.5EPSS: 0%CPEs: 9EXPL: 1CVE-2016-15038 – NUUO NVRmini 2 deletefile.php path traversal
https://notcve.org/view.php?id=CVE-2016-15038
A vulnerability, which was classified as critical, was found in NUUO NVRmini 2 up to 3.0.8. Affected is an unknown function of the file /deletefile.php. The manipulation of the argument filename leads to path traversal. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. • https://vuldb.com/?ctiid.258780 https://vuldb.com/?id.258780 https://www.exploit-db.com/exploits/40214 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.8EPSS: 63%CPEs: 2EXPL: 1CVE-2018-11523 – NUUO NVRmini2 / NVRsolo - Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2018-11523
upload.php on NUUO NVRmini 2 devices allows Arbitrary File Upload, such as upload of .php files. upload.php en dispositivos NUUO NVRmini 2 permite la subida de archivos arbitrarios, como .php. • https://www.exploit-db.com/exploits/44794 https://github.com/unh3x/just4cve/issues/1 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 7.5EPSS: 0%CPEs: 32EXPL: 1CVE-2016-5677 – NUUO NVRmini2 / NVRsolo / Crystal Devices / NETGEAR ReadyNAS Surveillance Application - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2016-5677
NUUO NVRmini 2 1.7.5 through 3.0.0, NUUO NVRsolo 1.0.0 through 3.0.0, and NETGEAR ReadyNAS Surveillance 1.1.1 through 1.4.1 have a hardcoded qwe23622260 password for the nuuoeng account, which allows remote attackers to obtain sensitive information via an __nvr_status___.php request. NUUO NVRmini 2 1.7.5 hasta la versión 3.0.0, NUUO NVRsolo 1.0.0 hasta la versión 3.0.0 y NETGEAR ReadyNAS Surveillance 1.1.1 hasta la versión 1.4.1 tienen una contraseña codificada qwe23622260 para la cuenta nuuoeng, lo que permite a atacantes remotos obtener información sensible a través de una petición __nvr_status___.php. NUUO NVRmini2 / NVRsolo / Crystal devices and NETGEAR ReadyNAS suffer from multiple security issues that result in remote code execution, backdoor access, buffer overflow, and various other vulnerabilities. • https://www.exploit-db.com/exploits/40200 http://www.kb.cert.org/vuls/id/856152 http://www.securityfocus.com/bid/92318 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 10.0EPSS: 0%CPEs: 38EXPL: 1CVE-2016-5678 – NUUO NVRmini2 / NVRsolo / Crystal Devices / NETGEAR ReadyNAS Surveillance Application - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2016-5678
NUUO NVRmini 2 1.0.0 through 3.0.0 and NUUO NVRsolo 1.0.0 through 3.0.0 have hardcoded root credentials, which allows remote attackers to obtain administrative access via unspecified vectors. NUUO NVRmini 2 1.0.0 hasta la versión 3.0.0 y NUUO NVRsolo 1.0.0 hasta la versión 3.0.0 tienen credenciales root codificadas, lo que permite a atacantes remotos obtener acceso administrativo a través de vectores no especificados. NUUO NVRmini2 / NVRsolo / Crystal devices and NETGEAR ReadyNAS suffer from multiple security issues that result in remote code execution, backdoor access, buffer overflow, and various other vulnerabilities. • https://www.exploit-db.com/exploits/40200 http://www.kb.cert.org/vuls/id/856152 http://www.securityfocus.com/bid/92318 • CWE-798: Use of Hard-coded Credentials •
CVSS: 10.0EPSS: 38%CPEs: 36EXPL: 1CVE-2016-5675 – NUUO NVRmini2 / NVRsolo / Crystal Devices / NETGEAR ReadyNAS Surveillance Application - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2016-5675
handle_daylightsaving.php in NUUO NVRmini 2 1.7.5 through 3.0.0, NUUO NVRsolo 1.0.0 through 3.0.0, NUUO Crystal 2.2.1 through 3.2.0, and NETGEAR ReadyNAS Surveillance 1.1.1 through 1.4.1 allows remote attackers to execute arbitrary PHP code via the NTPServer parameter. handle_daylightsaving.php en NUUO NVRmini 2 1.7.5 hasta la versión 3.0.0, NUUO NVRsolo 1.0.0 hasta la versión 3.0.0, NUUO Crystal 2.2.1 hasta la versión 3.2.0 y NETGEAR ReadyNAS Surveillance 1.1.1 hasta la versión 1.4.1 permite a atacantes remotos ejecutar código PHP arbitrario a través del parámetro NTPServer. NUUO NVRmini2 / NVRsolo / Crystal devices and NETGEAR ReadyNAS suffer from multiple security issues that result in remote code execution, backdoor access, buffer overflow, and various other vulnerabilities. • https://www.exploit-db.com/exploits/40200 http://www.kb.cert.org/vuls/id/856152 http://www.securityfocus.com/bid/92318 https://raw.githubusercontent.com/pedrib/PoC/master/advisories/NUUO/nuuo-nvr-vulns.txt https://seclists.org/bugtraq/2016/Aug/45 • CWE-20: Improper Input Validation •