CVE-2023-6895

Опубликовано: 17 дек. 2023

Источник: nvd

CVSS3: 6.3

CVSS3: 9.8

CVSS2: 5.8

EPSS Критический

Описание

A vulnerability was found in Hikvision Intercom Broadcasting System 3.0.3_20201113_RELEASE(HIK). It has been declared as critical. This vulnerability affects unknown code of the file /php/ping.php. The manipulation of the argument jsondata[ip] with the input netstat -ano leads to os command injection. The exploit has been disclosed to the public and may be used. Upgrading to version 4.1.0 is able to address this issue. It is recommended to upgrade the affected component. VDB-248254 is the identifier assigned to this vulnerability.

Ссылки

https://github.com/willchen0011/cve/blob/main/rce.md
Exploit
Third Party Advisory
https://vuldb.com/?ctiid.248254
Permissions Required
Third Party Advisory
https://vuldb.com/?id.248254
Third Party Advisory
https://github.com/willchen0011/cve/blob/main/rce.md
Exploit
Third Party Advisory
https://vuldb.com/?ctiid.248254
Permissions Required
Third Party Advisory
https://vuldb.com/?id.248254
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одновременно

cpe:2.3:o:hikvision:intercom_broadcast_system:*:*:*:*:*:*:*:*

Версия от 3.0.3 (включая) до 4.1.0 (исключая)

Одно из

cpe:2.3:h:hikvision:ds-kd-bk:-:*:*:*:*:*:*:*

cpe:2.3:h:hikvision:ds-kd-dis:-:*:*:*:*:*:*:*

cpe:2.3:h:hikvision:ds-kd-e:-:*:*:*:*:*:*:*

cpe:2.3:h:hikvision:ds-kd-in:-:*:*:*:*:*:*:*

cpe:2.3:h:hikvision:ds-kd-info:-:*:*:*:*:*:*:*

cpe:2.3:h:hikvision:ds-kd-kk:-:*:*:*:*:*:*:*

cpe:2.3:h:hikvision:ds-kd-kk\/s:-:*:*:*:*:*:*:*

cpe:2.3:h:hikvision:ds-kd-kp:-:*:*:*:*:*:*:*

cpe:2.3:h:hikvision:ds-kd-kp\/s:-:*:*:*:*:*:*:*

cpe:2.3:h:hikvision:ds-kd-m:-:*:*:*:*:*:*:*

cpe:2.3:h:hikvision:ds-kd3003-e6:-:*:*:*:*:*:*:*

cpe:2.3:h:hikvision:ds-kd8003ime1\(b\):-:*:*:*:*:*:*:*

cpe:2.3:h:hikvision:ds-kd8003ime1\(b\)\/flush:-:*:*:*:*:*:*:*

cpe:2.3:h:hikvision:ds-kd8003ime1\(b\)\/ns:-:*:*:*:*:*:*:*

cpe:2.3:h:hikvision:ds-kd8003ime1\(b\)\/s:-:*:*:*:*:*:*:*

cpe:2.3:h:hikvision:ds-kd8003ime1\(b\)\/surface:-:*:*:*:*:*:*:*

cpe:2.3:h:hikvision:ds-kh6220-le1:-:*:*:*:*:*:*:*

cpe:2.3:h:hikvision:ds-kh6320-le1:-:*:*:*:*:*:*:*

cpe:2.3:h:hikvision:ds-kh6320-tde1:-:*:*:*:*:*:*:*

cpe:2.3:h:hikvision:ds-kh6320-te1:-:*:*:*:*:*:*:*

cpe:2.3:h:hikvision:ds-kh6320-wtde1:-:*:*:*:*:*:*:*

cpe:2.3:h:hikvision:ds-kh6320-wte1:-:*:*:*:*:*:*:*

cpe:2.3:h:hikvision:ds-kh6350-wte1:-:*:*:*:*:*:*:*

cpe:2.3:h:hikvision:ds-kh6351-te1:-:*:*:*:*:*:*:*

cpe:2.3:h:hikvision:ds-kh6351-wte1:-:*:*:*:*:*:*:*

cpe:2.3:h:hikvision:ds-kh63le1\(b\):-:*:*:*:*:*:*:*

cpe:2.3:h:hikvision:ds-kh8520-wte1:-:*:*:*:*:*:*:*

cpe:2.3:h:hikvision:ds-kh9310-wte1\(b\):-:*:*:*:*:*:*:*

cpe:2.3:h:hikvision:ds-kh9510-wte1\(b\):-:*:*:*:*:*:*:*

EPSS

Процентиль: 100%

0.92185

Критический

6.3 Medium

CVSS3

9.8 Critical

CVSS3

5.8 Medium

CVSS2

Дефекты

CWE-78

Связанные уязвимости

GHSA-rg52-4hvq-96p6

CVSS3: 6.3

github

около 2 лет назад

A vulnerability was found in Hikvision Intercom Broadcasting System 3.0.3_20201113_RELEASE(HIK). It has been declared as critical. This vulnerability affects unknown code of the file /php/ping.php. The manipulation of the argument jsondata[ip] with the input netstat -ano leads to os command injection. The exploit has been disclosed to the public and may be used. VDB-248254 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

EPSS

Процентиль: 100%

0.92185

Критический

6.3 Medium

CVSS3

9.8 Critical

CVSS3

5.8 Medium

CVSS2

Дефекты

CWE-78