CVE-2020-22002

Name of the Vulnerable Software and Affected Versions Inim Electronics Smartliving SmartLAN/G/SI versions prior to 7.x

Description An Unauthenticated Server-Side Request Forgery (SSRF) issue exists within the GetImage functionality. The application uses user-supplied data in the host parameter to construct an image request through onvif.cgi. Since the host parameter is not validated, an attacker can specify an external domain, forcing the application to make an HTTP request to an arbitrary destination host.

Recommendations For Inim Electronics Smartliving SmartLAN/G/SI versions prior to 7.x, consider validating the host parameter in the GetImage functionality to prevent SSRF attacks. As a temporary workaround, restrict access to the onvif.cgi service to minimize the risk of exploitation.