Total
88 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-40419 | 1 Reolink | 2 Rlc-410w, Rlc-410w Firmware | 2022-09-29 | 5.0 MEDIUM | 7.5 HIGH |
| A firmware update vulnerability exists in the 'factory' binary of reolink RLC-410W v3.0.0.136_20121102. A specially-crafted series of network requests can lead to arbitrary firmware update. An attacker can send a sequence of requests to trigger this vulnerability. | |||||
| CVE-2021-40406 | 1 Reolink | 2 Rlc-410w, Rlc-410w Firmware | 2022-09-02 | 7.8 HIGH | 7.5 HIGH |
| A denial of service vulnerability exists in the cgiserver.cgi session creation functionality of reolink RLC-410W v3.0.0.136_20121102. A specially-crafted HTTP request can lead to prevent users from logging in. An attacker can send an HTTP request to trigger this vulnerability. | |||||
| CVE-2021-40404 | 1 Reolink | 2 Rlc-410w, Rlc-410w Firmware | 2022-08-08 | 6.4 MEDIUM | 6.5 MEDIUM |
| An authentication bypass vulnerability exists in the cgiserver.cgi Login functionality of reolink RLC-410W v3.0.0.136_20121102. A specially-crafted HTTP request can lead to authentication bypass. An attacker can send an HTTP request to trigger this vulnerability. | |||||
| CVE-2021-44385 | 1 Reolink | 2 Rlc-410w, Rlc-410w Firmware | 2022-07-29 | 6.8 MEDIUM | 7.7 HIGH |
| A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102. A specially-crafted HTTP request can lead to a reboot. SetPtzSerial param is not object. An attacker can send an HTTP request to trigger this vulnerability. | |||||
| CVE-2021-40412 | 1 Reolink | 2 Rlc-410w, Rlc-410w Firmware | 2022-07-29 | 6.5 MEDIUM | 7.2 HIGH |
| An OScommand injection vulnerability exists in the device network settings functionality of reolink RLC-410W v3.0.0.136_20121102. At [8] the devname variable, that has the value of the name parameter provided through the SetDevName API, is not validated properly. This would lead to an OS command injection. | |||||
| CVE-2021-40411 | 1 Reolink | 2 Rlc-410w, Rlc-410w Firmware | 2022-07-29 | 6.5 MEDIUM | 7.2 HIGH |
| An OS command injection vulnerability exists in the device network settings functionality of reolink RLC-410W v3.0.0.136_20121102. At [6] the dns_data->dns2 variable, that has the value of the dns2 parameter provided through the SetLocalLink API, is not validated properly. This would lead to an OS command injection. | |||||
| CVE-2021-40410 | 1 Reolink | 2 Rlc-410w, Rlc-410w Firmware | 2022-07-29 | 6.5 MEDIUM | 7.2 HIGH |
| An OS command injection vulnerability exists in the device network settings functionality of reolink RLC-410W v3.0.0.136_20121102. At [4] the dns_data->dns1 variable, that has the value of the dns1 parameter provided through the SetLocal API, is not validated properly. This would lead to an OS command injection. | |||||
| CVE-2021-40407 | 1 Reolink | 2 Rlc-410w, Rlc-410w Firmware | 2022-07-29 | 7.5 HIGH | 9.8 CRITICAL |
| An OS command injection vulnerability exists in the device network settings functionality of reolink RLC-410W v3.0.0.136_20121102. At [1] or [2], based on DDNS type, the ddns->domain variable, that has the value of the domain parameter provided through the SetDdns API, is not validated properly. This would lead to an OS command injection. An attacker can send an HTTP request to trigger this vulnerability. | |||||
| CVE-2021-40409 | 1 Reolink | 2 Rlc-410w, Rlc-410w Firmware | 2022-07-29 | 7.5 HIGH | 9.8 CRITICAL |
| An OS command injection vulnerability exists in the device network settings functionality of reolink RLC-410W v3.0.0.136_20121102. At [1] or [2], based on DDNS type, the ddns->password variable, that has the value of the password parameter provided through the SetDdns API, is not validated properly. This would lead to an OS command injection. | |||||
| CVE-2021-40408 | 1 Reolink | 2 Rlc-410w, Rlc-410w Firmware | 2022-07-29 | 7.5 HIGH | 9.8 CRITICAL |
| An OS command injection vulnerability exists in the device network settings functionality of reolink RLC-410W v3.0.0.136_20121102. At [1] or [2], based on DDNS type, the ddns->username variable, that has the value of the userName parameter provided through the SetDdns API, is not validated properly. This would lead to an OS command injection. | |||||
| CVE-2021-40423 | 1 Reolink | 2 Rlc-410w, Rlc-410w Firmware | 2022-07-28 | 7.8 HIGH | 7.5 HIGH |
| A denial of service vulnerability exists in the cgiserver.cgi API command parser functionality of Reolink RLC-410W v3.0.0.136_20121102. A specially-crafted series of HTTP requests can lead to denial of service. An attacker can send an HTTP request to trigger this vulnerability. | |||||
| CVE-2022-21801 | 1 Reolink | 2 Rlc-410w, Rlc-410w Firmware | 2022-07-01 | 7.8 HIGH | 7.5 HIGH |
| A denial of service vulnerability exists in the netserver recv_command functionality of reolink RLC-410W v3.0.0.136_20121102. A specially-crafted network request can lead to a reboot. An attacker can send a malicious packet to trigger this vulnerability. | |||||
| CVE-2022-21796 | 1 Reolink | 2 Rlc-410w, Rlc-410w Firmware | 2022-07-01 | 6.4 MEDIUM | 8.2 HIGH |
| A memory corruption vulnerability exists in the netserver parse_command_list functionality of reolink RLC-410W v3.0.0.136_20121102. A specially-crafted HTTP request can lead to an out-of-bounds write. An attacker can send an HTTP request to trigger this vulnerability. | |||||
| CVE-2022-21236 | 1 Reolink | 2 Rlc-410w, Rlc-410w Firmware | 2022-07-01 | 5.0 MEDIUM | 7.5 HIGH |
| An information disclosure vulnerability exists due to a web server misconfiguration in the Reolink RLC-410W v3.0.0.136_20121102. A specially-crafted HTTP request can lead to a disclosure of sensitive information. An attacker can send an HTTP request to trigger this vulnerability. | |||||
| CVE-2022-21217 | 1 Reolink | 2 Rlc-410w, Rlc-410w Firmware | 2022-07-01 | 7.5 HIGH | 9.8 CRITICAL |
| An out-of-bounds write vulnerability exists in the device TestEmail functionality of reolink RLC-410W v3.0.0.136_20121102. A specially-crafted network request can lead to an out-of-bounds write. An attacker can send an HTTP request to trigger this vulnerability. | |||||
| CVE-2022-21199 | 1 Reolink | 2 Rlc-410w, Rlc-410w Firmware | 2022-07-01 | 4.3 MEDIUM | 5.9 MEDIUM |
| An information disclosure vulnerability exists due to the hardcoded TLS key of reolink RLC-410W v3.0.0.136_20121102. A specially-crafted man-in-the-middle attack can lead to a disclosure of sensitive information. An attacker can perform a man-in-the-middle attack to trigger this vulnerability. | |||||
| CVE-2022-21134 | 1 Reolink | 2 Rlc-410w, Rlc-410w Firmware | 2022-07-01 | 5.0 MEDIUM | 7.5 HIGH |
| A firmware update vulnerability exists in the "update" firmware checks functionality of reolink RLC-410W v3.0.0.136_20121102. A specially-crafted HTTP request can lead to firmware update. An attacker can send a sequence of requests to trigger this vulnerability. | |||||
| CVE-2021-40413 | 1 Reolink | 2 Rlc-410w, Rlc-410w Firmware | 2022-06-15 | 6.5 MEDIUM | 7.1 HIGH |
| An incorrect default permission vulnerability exists in the cgiserver.cgi cgi_check_ability functionality of reolink RLC-410W v3.0.0.136_20121102. The UpgradePrepare is the API that checks if a provided filename identifies a new version of the RLC-410W firmware. If the version is new, it would be possible, allegedly, to later on perform the Upgrade. An attacker can send an HTTP request to trigger this vulnerability. | |||||
| CVE-2021-40414 | 1 Reolink | 2 Rlc-410w, Rlc-410w Firmware | 2022-06-15 | 5.5 MEDIUM | 7.1 HIGH |
| An incorrect default permission vulnerability exists in the cgiserver.cgi cgi_check_ability functionality of reolink RLC-410W v3.0.0.136_20121102. The SetMdAlarm API sets the movement detection parameters, giving the ability to set the sensitivity of the camera per a range of hours, and which of the camera spaces to ignore when considering movement detection. Because in cgi_check_ability the SetMdAlarm API does not have a specific case, the user permission will default to 7. This will give non-administrative users the possibility to change the movement detection parameters. | |||||
| CVE-2021-40405 | 1 Reolink | 2 Rlc-410w, Rlc-410w Firmware | 2022-04-25 | 6.8 MEDIUM | 6.5 MEDIUM |
| A denial of service vulnerability exists in the cgiserver.cgi Upgrade API functionality of Reolink RLC-410W v3.0.0.136_20121102. A specially-crafted HTTP request can lead to a reboot. An attacker can send an HTTP request to trigger this vulnerability. | |||||