HomePentest-Tools.com Logo

Hongdian H8922 3.0.5 Devices - Local File Inclusion CVE-2021-28149

Severity
CVSSv3 Score
6.5
Vulnerability description

Hongdian H8922 3.0.5 devices are vulnerable to local file inclusion. The /log_download.cgi log export handler does not validate user input and allows a remote attacker with minimal privileges to download any file from the device by substituting ../ (e.g., ../../etc/passwd) This can be carried out with a web browser by changing the file name accordingly. Upon visiting log_download.cgi?type=../../etc/passwd and logging in, the web server will allow a download of the contents of the /etc/passwd file.\n

Risk description

No risk description to display.

Recommendation

Apply the latest security patches or updates provided by the vendor to fix the LFI vulnerability in Hongdian H8922 3.0.5 Devices.

Codename
Not available
Detectable with
Network Scanner
Scan engine
Nuclei
Exploitable with Sniper
No
CVE Published
May 6, 2021
Detection added at
Software Type
Not available
Vendor
Not available
Product
Not available