Vulnerability Details : CVE-2020-24219
An issue was discovered on URayTech IPTV/H.264/H.265 video encoders through 1.97. Attackers can send crafted unauthenticated HTTP requests to exploit path traversal and pattern-matching programming flaws, and retrieve any file from the device's file system, including the configuration file with the cleartext administrative password.
Vulnerability category: Directory traversal
Products affected by CVE-2020-24219
- cpe:2.3:o:szuray:iptv\/h.264_video_encoder_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:szuray:iptv\/h.265_video_encoder_firmware:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-24219
29.10%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 97 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-24219
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.8
|
HIGH | AV:N/AC:L/Au:N/C:C/I:N/A:N |
10.0
|
6.9
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2020-24219
-
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.Assigned by: nvd@nist.gov (Primary)
References for CVE-2020-24219
-
https://www.kb.cert.org/vuls/id/896979
VU#896979 - IPTV encoder devices contain multiple vulnerabilitiesThird Party Advisory;US Government Resource
-
http://packetstormsecurity.com/files/159595/HiSilicon-Video-Encoder-1.97-File-Disclosure-Path-Traversal.html
HiSilicon Video Encoder 1.97 File Disclosure / Path Traversal ≈ Packet StormExploit;Third Party Advisory;VDB Entry
-
https://kojenov.com/2020-09-15-hisilicon-encoder-vulnerabilities/
Backdoors and other vulnerabilities in HiSilicon based hardware video encoders · Alexei KojenovExploit;Third Party Advisory
Jump to