Qsee · Qsee · CVE-2018-9995
**Name of the Vulnerable Software and Affected Versions**
TBK DVR4104 and DVR4216 devices, as well as Novo, CeNova, QSee, Pulnix, XVR 5 in 1, Securus, Night OWL, DVR Login, HVR Login, and MDVR Login
**Description**
The issue allows remote attackers to bypass authentication via a "Cookie: uid=admin" header. This can be demonstrated by a device.rsp?opt=user&cmd=list request that provides credentials within JSON data in a response. Exploitation of this issue may allow a remote attacker to bypass security restrictions and gain unauthorized access to protected information by sending a specially crafted request. There has been a spike in attacks against TBK DVR devices.
**Recommendations**
For TBK DVR4104 and DVR4216 devices, as well as Novo, CeNova, QSee, Pulnix, XVR 5 in 1, Securus, Night OWL, DVR Login, HVR Login, and MDVR Login, consider disabling the `uid=admin` header in the Cookie to prevent authentication bypass until a patch is available.
As a temporary workaround, restrict access to the device.rsp?opt=user&cmd=list endpoint to minimize the risk of exploitation.
Avoid using the `uid` variable in the Cookie header in the affected devices until the issue is resolved.
At the moment, there is no information about a newer version that contains a fix for this vulnerability.