CVE-2020-24219

An issue was discovered on URayTech IPTV/H.264/H.265 video encoders through 1.97. Attackers can send crafted unauthenticated HTTP requests to exploit path traversal and pattern-matching programming flaws, and retrieve any file from the device's file system, including the configuration file with the cleartext administrative password.
Path Traversal
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 95%
VendorProductVersion
szurayiptv\/h.264_video_encoder_firmware
𝑥
≤ 1.97
szurayiptv\/h.265_video_encoder_firmware
𝑥
≤ 1.97
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://packetstormsecurity.com/files/159595/HiSilicon-Video-Encoder-1.97-File-Disclosure-Path-Traversal.html
https://kojenov.com/2020-09-15-hisilicon-encoder-vulnerabilities/
https://www.kb.cert.org/vuls/id/896979
http://packetstormsecurity.com/files/159595/HiSilicon-Video-Encoder-1.97-File-Disclosure-Path-Traversal.html
https://kojenov.com/2020-09-15-hisilicon-encoder-vulnerabilities/
https://www.kb.cert.org/vuls/id/896979