CVE-2014-1901

Name of the Vulnerable Software and Affected Versions Y-Cam camera models SD range YCB003, YCK003, and YCW003 Y-Cam camera models S range YCB004, YCK004, YCW004 Y-Cam EyeBall YCEB03 Y-Cam Bullet VGA YCBL03 and YCBLB3 Y-Cam Bullet HD 720 YCBLHD5 Y-cam Classic Range YCB002, YCK002, and YCW003 Y-cam Original Range YCB001, YCW001, running firmware 4.30 and earlier

Description The issue allows remote authenticated users to cause a denial of service (reboot) via a malformed parameter to specific API endpoints, including the path parameter to "en/store main.asp", the item parameter to "en/account/accedit.asp", or the emailid parameter to "en/smtpclient.asp". This issue can also be exploited without authentication by leveraging another existing issue.

Recommendations For Y-Cam camera models SD range YCB003, YCK003, and YCW003, update the firmware to a version later than 4.30. For Y-Cam camera models S range YCB004, YCK004, YCW004, update the firmware to a version later than 4.30. For Y-Cam EyeBall YCEB03, update the firmware to a version later than 4.30. For Y-Cam Bullet VGA YCBL03 and YCBLB3, update the firmware to a version later than 4.30. For Y-Cam Bullet HD 720 YCBLHD5, update the firmware to a version later than 4.30. For Y-cam Classic Range YCB002, YCK002, and YCW003, update the firmware to a version later than 4.30. For Y-cam Original Range YCB001, YCW001, update the firmware to a version later than 4.30. As a temporary workaround, consider restricting access to the vulnerable API endpoints "en/store main.asp", "en/account/accedit.asp", and "en/smtpclient.asp" until a patch is available.