CVE-2024-48214

Name of the Vulnerable Software and Affected Versions KERUI HD 3MP 1080P Tuya Camera version 1.0.4

Description The issue concerns a command injection vulnerability in the module that connects to the local network via a QR code. This vulnerability allows an attacker to create a custom, unauthenticated QR code and abuse one of the parameters, either SSID or PASSWORD, in the JSON data contained within the QR code. By doing so, the attacker can execute arbitrary code on the camera.

Recommendations For KERUI HD 3MP 1080P Tuya Camera version 1.0.4, consider disabling the QR code connection feature until a patch is available to prevent exploitation of the command injection vulnerability. Restrict access to the camera's network connection to minimize the risk of arbitrary code execution. Avoid using the SSID or PASSWORD parameters in the QR code's JSON data until the issue is resolved.