Security Vulnerabilities - CVEs Published In March 2020
A vulnerability has been identified in Control Center Server (CCS) (All versions < V1.5.0). The DOWNLOADS section in the web interface of the Control Center
Server (CCS) contains a path traversal vulnerability
that could allow an authenticated remote attacker to access and download
arbitrary files from the server where CCS is installed.
CVSS Score
6.5
EPSS Score
0.003
Published
2020-03-10
A vulnerability has been identified in Control Center Server (CCS) (All versions < V1.5.0), SiNVR/SiVMS Video Server (All versions < V5.0.0). The FTP services of the SiVMS/SiNVR Video Server and the Control Center Server (CCS) maintain
log files that store login credentials in cleartext.
In configurations where the FTP service is enabled, authenticated remote
attackers could extract login credentials of other users of the service.
CVSS Score
5.3
EPSS Score
0.002
Published
2020-03-10
A vulnerability has been identified in Control Center Server (CCS) (All versions < V1.5.0). The Control Center Server (CCS) contains an SQL injection
vulnerability in its XML-based communication protocol as provided by default
on ports 5444/tcp and 5440/tcp.
An authenticated remote attacker could exploit this vulnerability to
read or modify the CCS database and potentially execute administrative
database operations or operating system commands.
CVSS Score
8.8
EPSS Score
0.006
Published
2020-03-10
A vulnerability has been identified in Control Center Server (CCS) (All versions < V1.5.0). The web interface of the Control Center Server (CCS) contains a
reflected Cross-site Scripting (XSS) vulnerability
that could allow an unauthenticated remote attacker to steal sensitive data
or execute administrative actions on behalf of a legitimate administrator
of the CCS web interface.
CVSS Score
6.1
EPSS Score
0.004
Published
2020-03-10
A vulnerability has been identified in Control Center Server (CCS) (All versions < V1.5.0). The web interface of the Control Center Server (CCS) contains
multiple stored Cross-site Scripting (XSS) vulnerabilities in several input
fields.
This could allow an authenticated remote attacker to inject malicious
JavaScript code into the CCS web application that is later executed
in the browser context of any other user who views the relevant CCS
web content.
CVSS Score
6.3
EPSS Score
0.002
Published
2020-03-10
A vulnerability has been identified in Control Center Server (CCS) (All versions < V1.5.0). The Control Center Server (CCS) does not enforce logging of
security-relevant activities in its XML-based communication protocol
as provided by default on ports 5444/tcp and 5440/tcp.
An authenticated remote attacker could exploit this vulnerability to
perform covert actions that are not visible in the application log.
CVSS Score
4.3
EPSS Score
0.003
Published
2020-03-10
A vulnerability has been identified in SiNVR/SiVMS Video Server (All versions < V5.0.0). The two FTP services (default ports 21/tcp and 5411/tcp) of the SiVMS/SiNVR Video
Server contain a path traversal vulnerability
that could allow an authenticated remote attacker to access and download
arbitrary files from the server, if the FTP services are enabled.
CVSS Score
6.8
EPSS Score
0.004
Published
2020-03-10
A vulnerability has been identified in SiNVR/SiVMS Video Server (All versions < V5.0.0). The streaming service (default port 5410/tcp) of the SiVMS/SiNVR Video Server
contains a path traversal vulnerability, that could allow an
unauthenticated remote attacker to access and download arbitrary files from the server.
CVSS Score
7.5
EPSS Score
0.009
Published
2020-03-10
A vulnerability has been identified in SiNVR/SiVMS Video Server (All versions < V5.0.0), SiNVR/SiVMS Video Server (All versions >= V5.0.0 < V5.0.2). The streaming service (default port 5410/tcp) of the SiVMS/SiNVR Video Server
contains a input validation vulnerability, that could allow
an unauthenticated remote attacker to cause a Denial-of-Service condition
by sending malformed HTTP requests.
CVSS Score
7.5
EPSS Score
0.008
Published
2020-03-10
A vulnerability has been identified in SiNVR/SiVMS Video Server (All versions < V5.0.0), SiNVR/SiVMS Video Server (All versions >= V5.0.0 < V5.0.2), SiNVR/SiVMS Video Server (All versions >= V5.0.2). The streaming service (default port 5410/tcp) of the SiVMS/SiNVR Video Server
applies weak cryptography when exposing device (camera) passwords.
This could allow an unauthenticated remote attacker to read and decrypt
the passwords and conduct further attacks.
CVSS Score
7.5
EPSS Score
0.005
Published
2020-03-10