Ferran Plaza

**Name of the Vulnerable Software and Affected Versions** Davantis DFUSION version 6.177.7 **Description** An access control issue exists in Davantis DFUSION version 6.177.7. This allows unauthorized access to images and videos associated with alarm events. Exploitation occurs through the API endpoint `/alarms/<ALARM ID>/<MEDIA>`, where the `MEDIA` parameter can be set to 'snapshot' or 'video.mp4'. These media files contain images captured by security cameras when alarms are triggered. The `ALARM ID` is a variable representing the unique identifier of the alarm event. **Recommendations** Restrict access to the `/alarms/<ALARM ID>/<MEDIA>` API endpoint.

**Name of the Vulnerable Software and Affected Versions** Davantis DDFUSION version 6.177.7 **Description** An inadequate access control issue exists in the software that allows unauthorized actors to retrieve perspective parameters from security camera settings. This is achieved by accessing the ''/cameras/<CAMERA ID>/perspective'' API endpoint, where `CAMERA ID` represents the identifier of the security camera. **Recommendations** Apply access controls to restrict access to the ''/cameras/<CAMERA ID>/perspective'' API endpoint.