CVE-2014-1901

14.05.2015, 00:59

Y-Cam camera models SD range YCB003, YCK003, and YCW003; S range YCB004, YCK004, YCW004; EyeBall YCEB03; Bullet VGA YCBL03 and YCBLB3; Bullet HD 720 YCBLHD5; Y-cam Classic Range YCB002, YCK002, and YCW003; and Y-cam Original Range YCB001, YCW001, running firmware 4.30 and earlier, allow remote authenticated users to cause a denial of service (reboot) via a malformed (1) path parameter to en/store_main.asp, (2) item parameter to en/account/accedit.asp, or (3) emailid parameter to en/smtpclient.asp.  NOTE: this issue can be exploited without authentication by leveraging CVE-2014-1900.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Vector
NIST	NIST	6.8 UNKNOWN	NETWORK	LOW	AV:N/AC:L/Au:S/C:N/I:N/A:C
mitre	CNA	---			---
CVE	ADP	---			---

Base Score

CVSS 3.x

EPSS Score

Percentile: 69%

Vendor	Product	Version
y-cam	yceb03_firmware	4.30
y-cam	ycb004_firmware	4.30
y-cam	ycb002_firmware	4.30
y-cam	ycbl03_firmware	4.30
y-cam	ycbl03	*
y-cam	ycblb3_firmware	4.30
y-cam	ycblb3	*
y-cam	yck002_firmware	4.30
y-cam	ycblhd5_firmware	4.30
y-cam	ycw003_firmware	4.30
y-cam	ycw001_firmware	4.30
y-cam	ycw002_firmware	4.30
y-cam	ycb001_firmware	4.30
y-cam	ycw004_firmware	4.30
y-cam	ycw004	*
y-cam	yck003_firmware	4.30
y-cam	yck004_firmware	4.30
y-cam	ycb003_firmware	4.30

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-20 - Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References

http://www.y-cam.com/y-cam-security-fix/

https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2014-007/?fid=3850

http://www.y-cam.com/y-cam-security-fix/

https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2014-007/?fid=3850