exploitDog

CVE-2024-56897

Опубликовано: 24 фев. 2025

Источник: nvd

CVSS3: 9.8

EPSS Низкий

Описание

Improper access control in the HTTP server in YI Car Dashcam v3.88 allows unrestricted file downloads, uploads, and API commands. API commands can also be made to make unauthorized modifications to the device settings, such as disabling recording, disabling sounds, factory reset.

Ссылки

https://geochen.medium.com/cve-2024-56897-yi-car-dashcam-39304a4b21b4
Exploit
Third Party Advisory
https://github.com/geo-chen/YI-Smart-Dashcam/
Exploit
Third Party Advisory
https://yitechnology.com.sg/products/dash-camera/
Broken Link

Уязвимые конфигурации

Конфигурация 1

Одновременно

cpe:2.3:o:yitechnology:yi_car_dashcam_firmware:3.88:*:*:*:*:*:*:*

cpe:2.3:h:yitechnology:yi_car_dashcam:-:*:*:*:*:*:*:*

EPSS

Процентиль: 44%

0.00211

Низкий

9.8 Critical

CVSS3

Дефекты

CWE-434

CWE-434

Связанные уязвимости

GHSA-v8m2-qqpw-r35m

CVSS3: 9.8

github

12 месяцев назад

Improper access control in the HTTP server in YI Car Dashcam v3.88 allows unrestricted file downloads, uploads, and API commands. API commands can also be made to make unauthorized modifications to the device settings, such as disabling recording, disabling sounds, factory reset.

EPSS

Процентиль: 44%

0.00211

Низкий

9.8 Critical

CVSS3

Дефекты

CWE-434

CWE-434