7.5
CVE-2020-22002
- EPSS 0.74%
- Veröffentlicht 29.04.2021 15:15:10
- Zuletzt bearbeitet 21.11.2024 05:13:00
- Quelle cve@mitre.org
- CVE-Watchlists
- Unerledigt
LoginAn Unauthenticated Server-Side Request Forgery (SSRF) vulnerability exists in Inim Electronics Smartliving SmartLAN/G/SI <=6.x within the GetImage functionality. The application parses user supplied data in the GET parameter 'host' to construct an image request to the service through onvif.cgi. Since no validation is carried out on the parameter, an attacker can specify an external domain and force the application to make an HTTP request to an arbitrary destination host.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Inim ≫ Smartliving 505 Firmware Version-
Inim ≫ Smartliving 515 Firmware Version-
Inim ≫ Smartliving 1050 Firmware Version-
Inim ≫ Smartliving 1050g3 Firmware Version-
Inim ≫ Smartliving 10100l Firmware Version-
Inim ≫ Smartliving 10100lg3 Firmware Version-
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.74% | 0.722 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
|
| nvd@nist.gov | 5 | 10 | 2.9 |
AV:N/AC:L/Au:N/C:N/I:P/A:N
|
CWE-918 Server-Side Request Forgery (SSRF)
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.