PT-2022-12055 · Reolink · Reolink Rlc-410W
Francesco Benvenuto
·
Published
2022-01-28
·
Updated
2022-10-25
·
CVE-2021-44358
CVSS v3.1
8.6
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
reolink RLC-410W version 3.0.0.136 20121102
Description
A denial of service issue exists in the cgiserver.cgi JSON command parser functionality. This can be triggered by a specially-crafted HTTP request, leading to a reboot. The
SetRec param is not an object, allowing an attacker to send an HTTP request and exploit this issue.Recommendations
For version 3.0.0.136 20121102, consider disabling the cgiserver.cgi JSON command parser functionality until a patch is available to prevent exploitation. Restrict access to the vulnerable
SetRec param to minimize the risk of a denial of service attack.Exploit
Fix
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Reolink Rlc-410W