9

CVE-2019-11001

Warnung
Exploit
On Reolink RLC-410W, C1 Pro, C2 Pro, RLC-422W, and RLC-511W devices through 1.0.227, an authenticated admin can use the "TestEmail" functionality to inject and run OS commands as root, as demonstrated by shell metacharacters in the addr1 field.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
ReolinkRlc-410w Firmware Version <= 1.0.227
   ReolinkRlc-410w Version-
ReolinkC1 Pro Firmware Version <= 1.0.227
   ReolinkC1 Pro Version-
ReolinkC2 Pro Firmware Version <= 1.0.227
   ReolinkC2 Pro Version-
ReolinkRlc-422w Firmware Version <= 1.0.227
   ReolinkRlc-422w Version-
ReolinkRlc-511w Firmware Version <= 1.0.227
   ReolinkRlc-511w Version-

18.12.2024: CISA Known Exploited Vulnerabilities (KEV) Catalog

Reolink Multiple IP Cameras OS Command Injection Vulnerability

Schwachstelle

Reolink RLC-410W, C1 Pro, C2 Pro, RLC-422W, and RLC-511W IP cameras contain an authenticated OS command injection vulnerability. This vulnerability allows an authenticated admin to use the "TestEmail" functionality to inject and run OS commands as root.

Beschreibung

The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization if a current mitigation is unavailable.

Erforderliche Maßnahmen
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 33.82% 0.968
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.2 1.2 5.9
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 9 8 10
AV:N/AC:L/Au:S/C:C/I:C/A:C
134c704f-9b21-4f2e-91b3-4a467353bcc0 7.2 1.2 5.9
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.