CVE-2014-1900

Name of the Vulnerable Software and Affected Versions Y-Cam camera models SD range versions YCB003, YCK003, and YCW003 Y-Cam camera models S range versions YCB004, YCK004, and YCW004 Y-Cam EyeBall version YCEB03 Y-Cam Bullet VGA versions YCBL03 and YCBLB3 Y-Cam Bullet HD 720 version YCBLHD5 Y-Cam Classic Range versions YCB002, YCK002, and YCW003 Y-Cam Original Range versions YCB001 and YCW001, running firmware versions prior to 4.31

Description The issue allows remote attackers to bypass authentication and obtain sensitive information. This is achieved by including a leading "/./" in a request to the "en/account/accedit.asp" endpoint.

Recommendations For Y-Cam camera models SD range versions YCB003, YCK003, and YCW003, update the firmware to a version later than 4.30. For Y-Cam camera models S range versions YCB004, YCK004, and YCW004, update the firmware to a version later than 4.30. For Y-Cam EyeBall version YCEB03, update the firmware to a version later than 4.30. For Y-Cam Bullet VGA versions YCBL03 and YCBLB3, update the firmware to a version later than 4.30. For Y-Cam Bullet HD 720 version YCBLHD5, update the firmware to a version later than 4.30. For Y-Cam Classic Range versions YCB002, YCK002, and YCW003, update the firmware to a version later than 4.30. For Y-Cam Original Range versions YCB001 and YCW001, update the firmware to a version later than 4.30. As a temporary workaround, consider restricting access to the "en/account/accedit.asp" endpoint until a patch is available.