MidnightBSD

Advisories for zavio

CVE-2013-2567 MEDIUM

An Authentication Bypass vulnerability exists in the web interface in Zavio IP Cameras through 1.6.03 due to a hardcoded admin account found in boa.conf, which lets a remote malicious user obtain sensitive information.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-798,

Products Affected

Vendor Product Version
zavio f3105_firmware *
zavio f312a_firmware *
CVE-2013-2568 HIGH

A Command Injection vulnerability exists in Zavio IP Cameras through 1.6.3 via the ap parameter to /cgi-bin/mft/wireless_mft.cgi, which could let a remote malicious user execute arbitrary code.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-78,

Products Affected

Vendor Product Version
zavio f3105_firmware *
zavio f312a_firmware *
CVE-2013-2569 MEDIUM

A Security Bypass vulnerability exists in Zavio IP Cameras through 1.6.3 because the RTSP protocol authentication is disabled by default, which could let a malicious user obtain unauthorized access to the live video stream.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-287,

Products Affected

Vendor Product Version
zavio f3105_firmware *
zavio f312a_firmware *
CVE-2013-2570 HIGH

A Command Injection vulnerability exists in Zavio IP Cameras through 1.6.3 in the General.Time.NTP.Server parameter to the sub_C8C8 function of the binary /opt/cgi/view/param, which could let a remove malicious user execute arbitrary code.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-78,

Products Affected

Vendor Product Version
zavio f3105_firmware *
zavio f312a_firmware *
CVE-2023-39435

Zavio CF7500, CF7300, CF7201, CF7501, CB3211, CB3212, CB5220, CB6231, B8520, B8220, and CD321 IP Cameras with firmware version M2.1.6.05 are vulnerable to stack-based overflows. During the process of updating certain settings sent from incoming network requests, the product does not sufficiently check or validate allocated buffer size. This may lead to remote code execution.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9
ics-cert@hq.dhs.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
zavio b8220_firmware m2.1.6.05
zavio cb5220_firmware m2.1.6.05
zavio cf7300_firmware m2.1.6.05
zavio cf7201_firmware m2.1.6.05
zavio cf7500_firmware m2.1.6.05
zavio cb3212_firmware m2.1.6.05
zavio cf7501_firmware m2.1.6.05
zavio b8520_firmware m2.1.6.05
zavio cb6231_firmware m2.1.6.05
zavio cb3211_firmware m2.1.6.05
zavio cd321_firmware m2.1.6.05
CVE-2023-3959

Zavio CF7500, CF7300, CF7201, CF7501, CB3211, CB3212, CB5220, CB6231, B8520, B8220, and CD321 IP Cameras with firmware version M2.1.6.05 are vulnerable to multiple instances of stack-based overflows. While processing XML elements from incoming network requests, the product does not sufficiently check or validate allocated buffer size. This may lead to remote code execution.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
ics-cert@hq.dhs.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
zavio b8220_firmware m2.1.6.05
zavio cb5220_firmware m2.1.6.05
zavio cf7300_firmware m2.1.6.05
zavio cf7201_firmware m2.1.6.05
zavio cf7500_firmware m2.1.6.05
zavio cb3212_firmware m2.1.6.05
zavio cf7501_firmware m2.1.6.05
zavio b8520_firmware m2.1.6.05
zavio cb6231_firmware m2.1.6.05
zavio cb3211_firmware m2.1.6.05
zavio cd321_firmware m2.1.6.05
CVE-2023-4249

Zavio CF7500, CF7300, CF7201, CF7501, CB3211, CB3212, CB5220, CB6231, B8520, B8220, and CD321 IP Cameras with firmware version M2.1.6.05 has a command injection vulnerability in their implementation of their binaries and handling of network requests.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9
ics-cert@hq.dhs.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
zavio b8220_firmware m2.1.6.05
zavio cb5220_firmware m2.1.6.05
zavio cf7300_firmware m2.1.6.05
zavio cf7201_firmware m2.1.6.05
zavio cf7500_firmware m2.1.6.05
zavio cb3212_firmware m2.1.6.05
zavio cf7501_firmware m2.1.6.05
zavio b8520_firmware m2.1.6.05
zavio cb6231_firmware m2.1.6.05
zavio cb3211_firmware m2.1.6.05
zavio cd321_firmware m2.1.6.05
CVE-2023-43755

Zavio CF7500, CF7300, CF7201, CF7501, CB3211, CB3212, CB5220, CB6231, B8520, B8220, and CD321 IP Cameras with firmware version M2.1.6.05 are vulnerable to multiple instances of stack-based overflows. During the processing and parsing of certain fields in XML elements from incoming network requests, the product does not sufficiently check or validate allocated buffer size. This may lead to remote code execution.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
ics-cert@hq.dhs.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
zavio b8220_firmware m2.1.6.05
zavio cb5220_firmware m2.1.6.05
zavio cf7300_firmware m2.1.6.05
zavio cf7201_firmware m2.1.6.05
zavio cf7500_firmware m2.1.6.05
zavio cb3212_firmware m2.1.6.05
zavio cf7501_firmware m2.1.6.05
zavio b8520_firmware m2.1.6.05
zavio cb6231_firmware m2.1.6.05
zavio cb3211_firmware m2.1.6.05
zavio cd321_firmware m2.1.6.05
CVE-2023-45225

Zavio CF7500, CF7300, CF7201, CF7501, CB3211, CB3212, CB5220, CB6231, B8520, B8220, and CD321 IP CamerasĀ  with firmware version M2.1.6.05 are vulnerable to multiple instances of stack-based overflows. While parsing certain XML elements from incoming network requests, the product does not sufficiently check or validate allocated buffer size. This may lead to remote code execution.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
ics-cert@hq.dhs.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
zavio b8220_firmware m2.1.6.05
zavio cb5220_firmware m2.1.6.05
zavio cf7300_firmware m2.1.6.05
zavio cf7201_firmware m2.1.6.05
zavio cf7500_firmware m2.1.6.05
zavio cb3212_firmware m2.1.6.05
zavio cf7501_firmware m2.1.6.05
zavio b8520_firmware m2.1.6.05
zavio cb6231_firmware m2.1.6.05
zavio cb3211_firmware m2.1.6.05
zavio cd321_firmware m2.1.6.05