Szymon Paszun

**Name of the Vulnerable Software and Affected Versions** Vivotek IP7137 camera versions prior to 0200a **Description** The Vivotek IP7137 camera is affected by an information disclosure issue. Live camera footage can be accessed through the Real Time Streaming Protocol (RTSP) on port 8554 without authentication. This allows unauthorized network users to view the camera feed, potentially compromising privacy and security. The vendor has not responded to reports of this issue, and as the product is in its End-Of-Life phase, a fix is not expected. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Vivotek IP7137 camera versions prior to firmware version 0200a **Description** The Vivotek IP7137 camera, with firmware version 0200a, does not require a password by default when logging in as an administrator. Although setting a password is possible, the user interface does not prompt for one. The vendor has not responded to reports regarding this issue, and a fix is not expected due to the product being in its End-Of-Life phase. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Vivotek IP7137 camera versions prior to firmware version 0200a **Description** The Vivotek IP7137 camera is susceptible to a path traversal issue. An authenticated attacker can potentially access resources outside the intended webroot directory by sending a direct HTTP request. Additionally, the administration panel may not have a default password set, potentially allowing unauthorized access. It is possible that all firmware versions are affected. The product has reached its End-Of-Life phase, and a fix is not anticipated. **Recommendations** Update the firmware to version 0200a or later. Set a strong password for the administration panel. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Vivotek IP7137 camera versions prior to 0200a **Description** The Vivotek IP7137 camera is affected by a command injection issue. The `/cgi-bin/admin/setparam.cgi` API endpoint does not properly sanitize the `system ntpIt` parameter. This allows a user with administrative privileges to execute commands. Administrative access is not protected by default. As the product has reached its End-Of-Life phase, a fix is not expected. **Recommendations** Update the firmware to a version newer than 0200a, if available. As a temporary workaround, restrict access to the `/cgi-bin/admin/setparam.cgi` endpoint. Avoid using the `system ntpIt` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Vilar VS-IPC1002 IP cameras (affected versions not specified) **Description** Vilar VS-IPC1002 IP cameras are susceptible to Reflected Cross-Site Scripting (XSS) attacks. This occurs because parameters within GET requests sent to the `/cgi-bin/action` API endpoint are not adequately sanitized. This lack of sanitization allows attackers to potentially target logged-in administrator users. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Vilar VS-IPC1002 IP cameras (affected versions not specified) **Description** Vilar VS-IPC1002 IP cameras are susceptible to Denial-of-Service (DoS) attacks. An unauthenticated attacker on the same local network can send a crafted request to the `/cgi-bin/action` API endpoint, causing the device to become unresponsive. A manual restart of the device is required to restore functionality. The vendor has not provided a response. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** GALAYOU G2 cameras version 11.100001.01.28 **Description** GALAYOU G2 cameras stream video output via RTSP streams. By default, these streams are protected by randomly generated credentials, but these credentials are not required to access the stream. Changing these credentials does not alter the camera's behavior. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.