PT-2022-11239 · Reolink · Reolink Rlc-410W
Francesco Benvenuto
·
Published
2022-01-28
·
Updated
2022-10-19
·
CVE-2021-40416
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
reolink RLC-410W version 3.0.0.136 20121102
Description
An incorrect default permission issue exists in the cgiserver.cgi cgi check ability functionality. This allows any logged-in user to execute Get APIs not included in cgi check ability. An attacker can trigger this issue by sending an HTTP request.
Recommendations
For reolink RLC-410W version 3.0.0.136 20121102, consider restricting access to the cgiserver.cgi cgi check ability functionality until a patch is available. As a temporary workaround, limit the execution of Get APIs not included in cgi check ability to minimize the risk of exploitation.
Exploit
Fix
Improper Access Control
Incorrect Default Permissions
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Reolink Rlc-410W