PT-2025-47903 · Davantis · Davantis Dfusion
Ferran Plaza
·
Publicado
2025-11-24
·
Atualizado
2025-11-24
·
CVE-2025-41016
CVSS v4.0
8.7
Alta
| Vetor | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Davantis DFUSION version 6.177.7
Description
An access control issue exists in Davantis DFUSION version 6.177.7. This allows unauthorized access to images and videos associated with alarm events. Exploitation occurs through the API endpoint
/alarms/<ALARM ID>/<MEDIA>, where the MEDIA parameter can be set to 'snapshot' or 'video.mp4'. These media files contain images captured by security cameras when alarms are triggered. The ALARM ID is a variable representing the unique identifier of the alarm event.Recommendations
Restrict access to the
/alarms/<ALARM ID>/<MEDIA> API endpoint.Correção
Missing Authorization
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Davantis Dfusion