猴子君

Name of the Vulnerable Software and Affected Versions: Hikvision Streaming Media Management Server version 2.3.5 Description: The issue allows remote attackers to authenticate using default credentials and access restricted functionality. After authentication, an attacker can exploit an arbitrary file read vulnerability in the "/systemLog/downFile.php" endpoint via directory traversal in the `fileName` parameter. This can enable unauthorized access to sensitive system files. Recommendations: For Hikvision Streaming Media Management Server version 2.3.5, change the default credentials to prevent unauthorized access. As a temporary workaround, consider restricting access to the "/systemLog/downFile.php" endpoint to minimize the risk of exploitation. Avoid using the `fileName` parameter in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.