Search criteria
14 vulnerabilities by kiloview
CVE-2025-8915 (GCVE-0-2025-8915)
Vulnerability from cvelistv5 – Published: 2025-10-13 06:58 – Updated: 2025-10-14 13:17
VLAI?
Summary
Hardcoded TLS private key and certificate in firmware in Kiloview N30 2.02.246 allows malicious adversary to do a Mann-in-the-middle attack via the network
Severity ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Credits
Louis Dumas
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-8915",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-14T13:17:10.539583Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-14T13:17:19.180Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.kiloview.com/downloads/Firmware/NDI%20Products/FULL%20NDI/N30/N30-0246-full-upgrade.bin",
"defaultStatus": "affected",
"modules": [
"encryption",
"tls key"
],
"product": "N30",
"vendor": "Kiloview",
"versions": [
{
"status": "affected",
"version": "2.02.246"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Louis Dumas"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Hardcoded TLS private key and certificate in firmware in Kiloview N30 2.02.246\u0026nbsp;allows malicious adversary to do a Mann-in-the-middle attack via the network"
}
],
"value": "Hardcoded TLS private key and certificate in firmware in Kiloview N30 2.02.246\u00a0allows malicious adversary to do a Mann-in-the-middle attack via the network"
}
],
"impacts": [
{
"capecId": "CAPEC-151",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-151 Identity Spoofing"
}
]
},
{
"capecId": "CAPEC-384",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-384 Application API Message Manipulation via Man-in-the-Middle"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-13T06:58:49.339Z",
"orgId": "455daabc-a392-441d-aa46-37d35189897c",
"shortName": "NCSC.ch"
},
"references": [
{
"url": "https://www.kiloview.com/en/support/download/n30-firmware-downloadlatest/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Hardcoded TLS private key in Kiloview N30 firmware",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "455daabc-a392-441d-aa46-37d35189897c",
"assignerShortName": "NCSC.ch",
"cveId": "CVE-2025-8915",
"datePublished": "2025-10-13T06:58:49.339Z",
"dateReserved": "2025-08-13T07:29:54.771Z",
"dateUpdated": "2025-10-14T13:17:19.180Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-9265 (GCVE-0-2025-9265)
Vulnerability from cvelistv5 – Published: 2025-10-13 06:57 – Updated: 2025-10-14 13:19
VLAI?
Summary
A broken authorization vulnerability in Kiloview NDI N30 allows a remote unauthenticated attacker to deactivate user verification, giving them access to state changing actions that should only be initiated by administratorsThis issue affects
Kiloview NDI N30
and was fixed in Firmware version later than 2.02.0246
Severity ?
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Credits
Joakim Brandt - NRK (Norsk rikskringkasting AS)
Louis Dumas
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-9265",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-14T13:19:29.801041Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-14T13:19:43.818Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.kiloview.com/en/support/download/n30-for-ndi/",
"defaultStatus": "affected",
"product": "NDI",
"vendor": "Kiloview",
"versions": [
{
"status": "affected",
"version": "2.02.246",
"versionType": "N30 Firmware"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Joakim Brandt - NRK (Norsk rikskringkasting AS)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Louis Dumas"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A broken authorization vulnerability in Kiloview NDI N30 allows a remote unauthenticated attacker to deactivate user verification, giving them access to state changing actions that should only be initiated by administrators\u003cp\u003eThis issue affects \n\n Kiloview NDI N30\n\nand was fixed in Firmware version later than 2.02.0246\n\n\u003c/p\u003e"
}
],
"value": "A broken authorization vulnerability in Kiloview NDI N30 allows a remote unauthenticated attacker to deactivate user verification, giving them access to state changing actions that should only be initiated by administratorsThis issue affects \n\n Kiloview NDI N30\n\nand was fixed in Firmware version later than 2.02.0246"
}
],
"impacts": [
{
"capecId": "CAPEC-22",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-22 Exploiting Trust in Client"
}
]
},
{
"capecId": "CAPEC-21",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-21 Exploitation of Trusted Identifiers"
}
]
},
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115: Authentication Bypass."
}
]
},
{
"capecId": "CAPEC-151",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-151 Identity Spoofing"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-346",
"description": "CWE-346 Origin Validation Error",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-290",
"description": "CWE-290 Authentication Bypass by Spoofing",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-13T06:57:45.195Z",
"orgId": "455daabc-a392-441d-aa46-37d35189897c",
"shortName": "NCSC.ch"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://www.kiloview.com/en/support/download/n30-firmware-downloadlatest/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "API Authentication Bypass via Header Spoofing vulnerability in Kiloview NDI N30 Products",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "455daabc-a392-441d-aa46-37d35189897c",
"assignerShortName": "NCSC.ch",
"cveId": "CVE-2025-9265",
"datePublished": "2025-10-13T06:57:45.195Z",
"dateReserved": "2025-08-20T14:20:57.768Z",
"dateUpdated": "2025-10-14T13:19:43.818Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-41928 (GCVE-0-2023-41928)
Vulnerability from cvelistv5 – Published: 2024-07-02 07:43 – Updated: 2024-08-02 19:09
VLAI?
Summary
The device is observed to accept deprecated TLS protocols, increasing the risk of cryptographic weaknesses.
Severity ?
5.3 (Medium)
CWE
- CWE-327 - Use of a Broken or Risky Cryptographic Algorithm
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-41928",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-09T15:39:39.501176Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-09T15:39:48.584Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:09:49.433Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisories.ncsc.nl/advisory?id=NCSC-2024-0273"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "P1/P2",
"vendor": "Kiloview",
"versions": [
{
"lessThanOrEqual": "4.8.2605",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe device is observed to accept deprecated TLS protocols, increasing the risk of cryptographic weaknesses.\u003cbr\u003e\u003c/p\u003e\n\n\n\n\n\n"
}
],
"value": "The device is observed to accept deprecated TLS protocols, increasing the risk of cryptographic weaknesses."
}
],
"impacts": [
{
"capecId": "CAPEC-97",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-97 Cryptanalysis"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-327",
"description": "CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-02T07:43:31.998Z",
"orgId": "cf4a7ff5-dd38-4ede-a530-ffaa7ea59c39",
"shortName": "NCSC-NL"
},
"references": [
{
"url": "https://advisories.ncsc.nl/advisory?id=NCSC-2024-0273"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Remote server offers deprecated TLS protocol in Kiloview P1/P2 devices"
}
},
"cveMetadata": {
"assignerOrgId": "cf4a7ff5-dd38-4ede-a530-ffaa7ea59c39",
"assignerShortName": "NCSC-NL",
"cveId": "CVE-2023-41928",
"datePublished": "2024-07-02T07:43:31.998Z",
"dateReserved": "2023-09-05T10:14:50.217Z",
"dateUpdated": "2024-08-02T19:09:49.433Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-41927 (GCVE-0-2023-41927)
Vulnerability from cvelistv5 – Published: 2024-07-02 07:43 – Updated: 2024-08-02 19:09
VLAI?
Summary
The server supports at least one cipher suite which is on the NCSC-NL list of cipher suites to be phased out, increasing the risk of cryptographic weaknesses.
Severity ?
5.3 (Medium)
CWE
- CWE-327 - Inadequate Encryption Strength
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-41927",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-02T18:19:15.786596Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-02T18:19:21.724Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:09:49.292Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisories.ncsc.nl/advisory?id=NCSC-2024-0273"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "P1/P2",
"vendor": "Kiloview",
"versions": [
{
"lessThanOrEqual": "4.8.2605",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cp\u003eThe server supports at least one cipher suite which is on the NCSC-NL list of cipher suites to be phased out, increasing the risk of\ncryptographic weaknesses.\u003c/p\u003e\n\n\n\n\n\n\n\n"
}
],
"value": "The server supports at least one cipher suite which is on the NCSC-NL list of cipher suites to be phased out, increasing the risk of cryptographic weaknesses."
}
],
"impacts": [
{
"capecId": "CAPEC-97",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-97 Cryptanalysis"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-327",
"description": "CWE-327: Inadequate Encryption Strength",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-02T07:43:25.640Z",
"orgId": "cf4a7ff5-dd38-4ede-a530-ffaa7ea59c39",
"shortName": "NCSC-NL"
},
"references": [
{
"url": "https://advisories.ncsc.nl/advisory?id=NCSC-2024-0273"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Weak TLS Cipher Suites Supported in Kiloview P1/P2 devices"
}
},
"cveMetadata": {
"assignerOrgId": "cf4a7ff5-dd38-4ede-a530-ffaa7ea59c39",
"assignerShortName": "NCSC-NL",
"cveId": "CVE-2023-41927",
"datePublished": "2024-07-02T07:43:25.640Z",
"dateReserved": "2023-09-05T10:14:50.217Z",
"dateUpdated": "2024-08-02T19:09:49.292Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-41926 (GCVE-0-2023-41926)
Vulnerability from cvelistv5 – Published: 2024-07-02 07:43 – Updated: 2024-08-02 19:09
VLAI?
Summary
The webserver utilizes basic authentication for its user login to the configuration interface. As encryption is disabled on port 80, it enables potential eavesdropping on user traffic, making it possible to intercept their credentials.
Severity ?
8.8 (High)
CWE
- CWE-522 - Insufficiently Protected Credentials
Assigner
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:kiloview:p1_4g_video_encoder_firmware:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "p1_4g_video_encoder_firmware",
"vendor": "kiloview",
"versions": [
{
"lessThanOrEqual": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:kiloview:p2_4g_video_encoder_firmware:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "p2_4g_video_encoder_firmware",
"vendor": "kiloview",
"versions": [
{
"lessThanOrEqual": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-41926",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-02T10:55:55.881255Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-02T10:55:59.996Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:09:49.320Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisories.ncsc.nl/advisory?id=NCSC-2024-0273"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "P1/P2",
"vendor": "Kiloview",
"versions": [
{
"lessThanOrEqual": "4.8.2605",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe webserver utilizes basic authentication for its user login to the configuration interface. As encryption is disabled on port 80, it enables potential eavesdropping on user traffic, making it possible to intercept their credentials.\u003cbr\u003e\u003c/p\u003e\n\n\n\n\n\n"
}
],
"value": "The webserver utilizes basic authentication for its user login to the configuration interface. As encryption is disabled on port 80, it enables potential eavesdropping on user traffic, making it possible to intercept their credentials."
}
],
"impacts": [
{
"capecId": "CAPEC-157",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-157 Sniffing Attacks"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-522",
"description": "CWE-522 Insufficiently Protected Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-02T08:21:18.104Z",
"orgId": "cf4a7ff5-dd38-4ede-a530-ffaa7ea59c39",
"shortName": "NCSC-NL"
},
"references": [
{
"url": "https://advisories.ncsc.nl/advisory?id=NCSC-2024-0273"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Insufficiently protected credentials in Kiloview P1/P2 devices"
}
},
"cveMetadata": {
"assignerOrgId": "cf4a7ff5-dd38-4ede-a530-ffaa7ea59c39",
"assignerShortName": "NCSC-NL",
"cveId": "CVE-2023-41926",
"datePublished": "2024-07-02T07:43:16.362Z",
"dateReserved": "2023-09-05T10:14:50.217Z",
"dateUpdated": "2024-08-02T19:09:49.320Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-41923 (GCVE-0-2023-41923)
Vulnerability from cvelistv5 – Published: 2024-07-02 07:42 – Updated: 2024-08-02 19:09
VLAI?
Summary
The user management section of the web application permits the creation of user accounts with excessively weak passwords, including single-character passwords.
Severity ?
7.2 (High)
CWE
- CWE-521 - Weak Password Requirements
Assigner
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:kiloview:p1_4g_video_encoder_firmware:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "p1_4g_video_encoder_firmware",
"vendor": "kiloview",
"versions": [
{
"lessThanOrEqual": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:kiloview:p2_4g_video_encoder_firmware:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "p2_4g_video_encoder_firmware",
"vendor": "kiloview",
"versions": [
{
"lessThanOrEqual": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-41923",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-02T10:55:19.691029Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-02T10:55:26.955Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:09:49.428Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisories.ncsc.nl/advisory?id=NCSC-2024-0273"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "P1/P2",
"vendor": "Kiloview",
"versions": [
{
"lessThanOrEqual": "4.8.2605",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe user management section of the web application permits the creation of user accounts with excessively weak passwords, including single-character passwords.\u003c/p\u003e\n\n\n\n\n\n"
}
],
"value": "The user management section of the web application permits the creation of user accounts with excessively weak passwords, including single-character passwords."
}
],
"impacts": [
{
"capecId": "CAPEC-70",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-70 Try Common or Default Usernames and Passwords"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-521",
"description": "CWE-521 Weak Password Requirements",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-02T08:21:08.341Z",
"orgId": "cf4a7ff5-dd38-4ede-a530-ffaa7ea59c39",
"shortName": "NCSC-NL"
},
"references": [
{
"url": "https://advisories.ncsc.nl/advisory?id=NCSC-2024-0273"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Weak Password Requirements in Kiloview P1/P2 devices"
}
},
"cveMetadata": {
"assignerOrgId": "cf4a7ff5-dd38-4ede-a530-ffaa7ea59c39",
"assignerShortName": "NCSC-NL",
"cveId": "CVE-2023-41923",
"datePublished": "2024-07-02T07:42:49.840Z",
"dateReserved": "2023-09-05T10:14:50.216Z",
"dateUpdated": "2024-08-02T19:09:49.428Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-41922 (GCVE-0-2023-41922)
Vulnerability from cvelistv5 – Published: 2024-07-02 07:42 – Updated: 2024-08-02 19:09
VLAI?
Summary
A 'Cross-site Scripting' (XSS) vulnerability, characterized by improper input neutralization during web page generation, has been discovered. This vulnerability allows for Stored XSS attacks to occur. Multiple areas within the administration interface of the webserver lack adequate input validation, resulting in multiple instances of Stored XSS vulnerabilities.
Severity ?
7.2 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:kiloview:p1_4g_video_encoder_firmware:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "p1_4g_video_encoder_firmware",
"vendor": "kiloview",
"versions": [
{
"lessThanOrEqual": "4.8.2605",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:kiloview:p2_4g_video_encoder_firmware:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "p2_4g_video_encoder_firmware",
"vendor": "kiloview",
"versions": [
{
"lessThanOrEqual": "4.8.2605",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-41922",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-02T14:01:30.394306Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-02T14:05:45.133Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:09:49.427Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisories.ncsc.nl/advisory?id=NCSC-2024-0273"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "P1/P2",
"vendor": "Kiloview",
"versions": [
{
"lessThanOrEqual": "4.8.2605",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA \u0027Cross-site Scripting\u0027 (XSS) vulnerability, characterized by improper\ninput neutralization during web page generation, has been discovered. This vulnerability allows for\nStored XSS attacks to occur. Multiple areas within the administration interface\nof the webserver lack adequate input validation, resulting in multiple\ninstances of Stored XSS vulnerabilities.\u003c/p\u003e\n\n\n\n\n\n"
}
],
"value": "A \u0027Cross-site Scripting\u0027 (XSS) vulnerability, characterized by improper input neutralization during web page generation, has been discovered. This vulnerability allows for Stored XSS attacks to occur. Multiple areas within the administration interface of the webserver lack adequate input validation, resulting in multiple instances of Stored XSS vulnerabilities."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-02T08:21:00.778Z",
"orgId": "cf4a7ff5-dd38-4ede-a530-ffaa7ea59c39",
"shortName": "NCSC-NL"
},
"references": [
{
"url": "https://advisories.ncsc.nl/advisory?id=NCSC-2024-0273"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) in Kiloview P1/P2 devices"
}
},
"cveMetadata": {
"assignerOrgId": "cf4a7ff5-dd38-4ede-a530-ffaa7ea59c39",
"assignerShortName": "NCSC-NL",
"cveId": "CVE-2023-41922",
"datePublished": "2024-07-02T07:42:42.031Z",
"dateReserved": "2023-09-05T10:14:50.216Z",
"dateUpdated": "2024-08-02T19:09:49.427Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-41921 (GCVE-0-2023-41921)
Vulnerability from cvelistv5 – Published: 2024-07-02 07:42 – Updated: 2024-08-02 19:09
VLAI?
Summary
A vulnerability allows attackers to download source code or an executable from a remote location and execute the code without sufficiently verifying the origin and integrity of the code. This vulnerability can allow attackers to modify the firmware before uploading it to the system, thus achieving the modification of the target’s integrity to achieve an insecure state.
Severity ?
9.8 (Critical)
CWE
- CWE-494 - Download of Code Without Integrity Check
Assigner
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:kiloview:p1_4g_video_encoder_firmware:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "p1_4g_video_encoder_firmware",
"vendor": "kiloview",
"versions": [
{
"lessThanOrEqual": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:kiloview:p2_4g_video_encoder_firmware:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "p2_4g_video_encoder_firmware",
"vendor": "kiloview",
"versions": [
{
"lessThanOrEqual": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-41921",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-02T10:51:11.223029Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-02T10:51:15.140Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:09:49.427Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisories.ncsc.nl/advisory?id=NCSC-2024-0273"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "P1/P2",
"vendor": "Kiloview",
"versions": [
{
"lessThanOrEqual": "4.8.2605",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003cspan style=\"background-color: rgba(255, 255, 255, 0.7);\"\u003eA vulnerability allows attackers to download source code or an executable from a remote location and execute the code without sufficiently verifying the origin and integrity of the code. This vulnerability can allow attackers to modify the firmware before uploading it to the system, thus achieving the modification of the target\u2019s integrity to achieve an insecure state.\u003c/span\u003e\n\n\u003c/span\u003e\n\n"
}
],
"value": "A vulnerability allows attackers to download source code or an executable from a remote location and execute the code without sufficiently verifying the origin and integrity of the code. This vulnerability can allow attackers to modify the firmware before uploading it to the system, thus achieving the modification of the target\u2019s integrity to achieve an insecure state."
}
],
"impacts": [
{
"capecId": "CAPEC-184",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-184 Software Integrity Attack"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-494",
"description": "CWE-494 Download of Code Without Integrity Check",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-02T08:20:37.969Z",
"orgId": "cf4a7ff5-dd38-4ede-a530-ffaa7ea59c39",
"shortName": "NCSC-NL"
},
"references": [
{
"url": "https://advisories.ncsc.nl/advisory?id=NCSC-2024-0273"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Download of Code Without Integrity Check in Kiloview P1/P2 devices"
}
},
"cveMetadata": {
"assignerOrgId": "cf4a7ff5-dd38-4ede-a530-ffaa7ea59c39",
"assignerShortName": "NCSC-NL",
"cveId": "CVE-2023-41921",
"datePublished": "2024-07-02T07:42:33.722Z",
"dateReserved": "2023-09-05T10:14:50.216Z",
"dateUpdated": "2024-08-02T19:09:49.427Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-41920 (GCVE-0-2023-41920)
Vulnerability from cvelistv5 – Published: 2024-07-02 07:42 – Updated: 2024-08-02 19:09
VLAI?
Summary
The vulnerability allows attackers access to the root account without having to authenticate. Specifically, if the device is configured with the IP address of 10.10.10.10, the root user is automatically logged in.
Severity ?
9.8 (Critical)
CWE
- CWE-305 - Authentication Bypass by Primary Weakness
Assigner
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:kiloview:p1_4g_video_encoder_firmware:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "p1_4g_video_encoder_firmware",
"vendor": "kiloview",
"versions": [
{
"lessThanOrEqual": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:kiloview:p2_4g_video_encoder_firmware:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "p2_4g_video_encoder_firmware",
"vendor": "kiloview",
"versions": [
{
"lessThanOrEqual": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-41920",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-02T10:52:36.148784Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-02T10:52:42.017Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:09:49.386Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisories.ncsc.nl/advisory?id=NCSC-2024-0273"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "P1/P2",
"vendor": "Kiloview",
"versions": [
{
"lessThanOrEqual": "4.8.2605",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThe vulnerability allows attackers access to the root account without having to authenticate. \u003c/span\u003e\u003cspan style=\"background-color: rgba(255, 255, 255, 0.7);\"\u003eSpecifically, if the device is configured with the IP address of 10.10.10.10, the root user is automatically logged in.\u003c/span\u003e\n\n"
}
],
"value": "The vulnerability allows attackers access to the root account without having to authenticate. Specifically, if the device is configured with the IP address of 10.10.10.10, the root user is automatically logged in."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-305",
"description": "CWE-305 Authentication Bypass by Primary Weakness",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-02T08:20:30.865Z",
"orgId": "cf4a7ff5-dd38-4ede-a530-ffaa7ea59c39",
"shortName": "NCSC-NL"
},
"references": [
{
"url": "https://advisories.ncsc.nl/advisory?id=NCSC-2024-0273"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Authentication Bypass by Primary Weakness in Kiloview P1/P2 devices"
}
},
"cveMetadata": {
"assignerOrgId": "cf4a7ff5-dd38-4ede-a530-ffaa7ea59c39",
"assignerShortName": "NCSC-NL",
"cveId": "CVE-2023-41920",
"datePublished": "2024-07-02T07:42:24.484Z",
"dateReserved": "2023-09-05T10:14:50.216Z",
"dateUpdated": "2024-08-02T19:09:49.386Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-41919 (GCVE-0-2023-41919)
Vulnerability from cvelistv5 – Published: 2024-07-02 07:42 – Updated: 2024-08-02 19:09
VLAI?
Summary
Hardcoded credentials are discovered within the application's source code, creating a potential security risk for unauthorized access.
Severity ?
9.8 (Critical)
CWE
- CWE-798 - Use of Hard-coded Credentials
Assigner
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:kiloview:p1_4g_video_encoder_firmware:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "p1_4g_video_encoder_firmware",
"vendor": "kiloview",
"versions": [
{
"lessThanOrEqual": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:kiloview:p2_4g_video_encoder_firmware:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "p2_4g_video_encoder_firmware",
"vendor": "kiloview",
"versions": [
{
"lessThanOrEqual": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-41919",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-02T10:53:12.633052Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-02T10:53:17.253Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:09:49.323Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisories.ncsc.nl/advisory?id=NCSC-2024-0273"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "P1/P2",
"vendor": "Kiloview",
"versions": [
{
"lessThanOrEqual": "4.8.2605",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eHardcoded credentials are discovered within the application\u0027s source code, creating a potential security risk for unauthorized access.\u003c/p\u003e\n\n\n\n\n\n"
}
],
"value": "Hardcoded credentials are discovered within the application\u0027s source code, creating a potential security risk for unauthorized access."
}
],
"impacts": [
{
"capecId": "CAPEC-70",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-70 Try Common or Default Usernames and Passwords"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-798",
"description": "CWE-798 Use of Hard-coded Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-02T08:20:21.516Z",
"orgId": "cf4a7ff5-dd38-4ede-a530-ffaa7ea59c39",
"shortName": "NCSC-NL"
},
"references": [
{
"url": "https://advisories.ncsc.nl/advisory?id=NCSC-2024-0273"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Use of Hard-coded Credentials in Kiloview P1/P2 devices"
}
},
"cveMetadata": {
"assignerOrgId": "cf4a7ff5-dd38-4ede-a530-ffaa7ea59c39",
"assignerShortName": "NCSC-NL",
"cveId": "CVE-2023-41919",
"datePublished": "2024-07-02T07:42:16.318Z",
"dateReserved": "2023-09-05T10:14:50.216Z",
"dateUpdated": "2024-08-02T19:09:49.323Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-41918 (GCVE-0-2023-41918)
Vulnerability from cvelistv5 – Published: 2024-07-02 07:42 – Updated: 2024-08-02 19:09
VLAI?
Summary
A vulnerability allows unauthorized access to functionality inadequately constrained by ACLs. Attackers may exploit this to unauthenticated execute commands potentially leading to unauthorized data manipulation, access to privileged functions, or even the execution of arbitrary code.
Severity ?
10 (Critical)
CWE
- CWE-306 - Missing Authentication for Critical Function
Assigner
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:kiloview:p1_4g_video_encoder_firmware:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "p1_4g_video_encoder_firmware",
"vendor": "kiloview",
"versions": [
{
"lessThanOrEqual": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:kiloview:p2_4g_video_encoder_firmware:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "p2_4g_video_encoder_firmware",
"vendor": "kiloview",
"versions": [
{
"lessThanOrEqual": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-41918",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-02T10:53:42.844735Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-02T10:54:20.618Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:09:49.350Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisories.ncsc.nl/advisory?id=NCSC-2024-0273"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "P1/P2",
"vendor": "Kiloview",
"versions": [
{
"lessThanOrEqual": "4.8.2605",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA vulnerability allows unauthorized access to functionality inadequately\nconstrained by ACLs. Attackers may exploit this to unauthenticated execute\ncommands potentially leading to unauthorized data manipulation, access to\nprivileged functions, or even the execution of arbitrary code.\u003c/p\u003e\n\n\n\n\n\n"
}
],
"value": "A vulnerability allows unauthorized access to functionality inadequately constrained by ACLs. Attackers may exploit this to unauthenticated execute commands potentially leading to unauthorized data manipulation, access to privileged functions, or even the execution of arbitrary code."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-02T08:20:11.611Z",
"orgId": "cf4a7ff5-dd38-4ede-a530-ffaa7ea59c39",
"shortName": "NCSC-NL"
},
"references": [
{
"url": "https://advisories.ncsc.nl/advisory?id=NCSC-2024-0273"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Missing Authentication for Critical Function in Kiloview P1/P2 devices"
}
},
"cveMetadata": {
"assignerOrgId": "cf4a7ff5-dd38-4ede-a530-ffaa7ea59c39",
"assignerShortName": "NCSC-NL",
"cveId": "CVE-2023-41918",
"datePublished": "2024-07-02T07:42:08.260Z",
"dateReserved": "2023-09-05T10:14:50.216Z",
"dateUpdated": "2024-08-02T19:09:49.350Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-41917 (GCVE-0-2023-41917)
Vulnerability from cvelistv5 – Published: 2024-07-02 07:41 – Updated: 2024-08-02 19:09
VLAI?
Summary
Inadequate input validation exposes the system to potential remote code execution (RCE) risks. Attackers can exploit this vulnerability by appending shell commands to the Speed-Measurement feature, enabling unauthorized code execution.
Severity ?
10 (Critical)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:kiloview:p1_4g_video_encoder_firmware:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "p1_4g_video_encoder_firmware",
"vendor": "kiloview",
"versions": [
{
"lessThanOrEqual": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:kiloview:p2_4g_video_encoder_firmware:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "p2_4g_video_encoder_firmware",
"vendor": "kiloview",
"versions": [
{
"lessThanOrEqual": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-41917",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-02T10:54:08.026724Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-02T10:54:13.365Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:09:49.069Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisories.ncsc.nl/advisory?id=NCSC-2024-0273"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "P1/P2",
"vendor": "Kiloview",
"versions": [
{
"lessThanOrEqual": "4.8.2605",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eInadequate input validation\nexposes the system to potential remote code execution (RCE) risks. Attackers\ncan exploit this vulnerability by appending shell commands to the\nSpeed-Measurement feature, enabling unauthorized code execution.\u003c/p\u003e\n\n\n\n\n\n"
}
],
"value": "Inadequate input validation exposes the system to potential remote code execution (RCE) risks. Attackers can exploit this vulnerability by appending shell commands to the Speed-Measurement feature, enabling unauthorized code execution."
}
],
"impacts": [
{
"capecId": "CAPEC-248",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-248 Command Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-02T08:20:00.588Z",
"orgId": "cf4a7ff5-dd38-4ede-a530-ffaa7ea59c39",
"shortName": "NCSC-NL"
},
"references": [
{
"url": "https://advisories.ncsc.nl/advisory?id=NCSC-2024-0273"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Improper input validation in Kiloview P1/P2 devices allows for remote code execution"
}
},
"cveMetadata": {
"assignerOrgId": "cf4a7ff5-dd38-4ede-a530-ffaa7ea59c39",
"assignerShortName": "NCSC-NL",
"cveId": "CVE-2023-41917",
"datePublished": "2024-07-02T07:41:28.397Z",
"dateReserved": "2023-09-05T10:14:50.215Z",
"dateUpdated": "2024-08-02T19:09:49.069Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-2162 (GCVE-0-2024-2162)
Vulnerability from cvelistv5 – Published: 2024-03-21 06:00 – Updated: 2024-08-27 20:10
VLAI?
Summary
An OS Command Injection vulnerability in Kiloview NDI allows a low-privileged user to execute arbitrary code remotely on the device with high privileges.
This issue affects Kiloview NDI N3, N3-s, N4, N20, N30, N40 and was fixed in Firmware version 2.02.0227 .
Severity ?
8.8 (High)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
Credits
Milan Duric, EBU
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:03:38.899Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"release-notes",
"x_transferred"
],
"url": "https://www.kiloview.com/en/support/download/n3-for-ndi/"
},
{
"tags": [
"release-notes",
"x_transferred"
],
"url": "https://www.kiloview.com/en/support/download/n3-s-firmware-download/"
},
{
"tags": [
"release-notes",
"x_transferred"
],
"url": "https://www.kiloview.com/en/support/download/1779/"
},
{
"tags": [
"release-notes",
"x_transferred"
],
"url": "https://www.kiloview.com/en/support/download/n20-firmware-download/"
},
{
"tags": [
"release-notes",
"x_transferred"
],
"url": "https://www.kiloview.com/en/support/download/n30-for-ndi/"
},
{
"tags": [
"release-notes",
"x_transferred"
],
"url": "https://www.kiloview.com/en/support/download/n40/"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:o:kiloview:ndi_n3_firmware:2.02.0227:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "ndi_n3_firmware",
"vendor": "kiloview",
"versions": [
{
"status": "affected",
"version": "2.02.0227"
}
]
},
{
"cpes": [
"cpe:2.3:o:kiloview:ndi_n3-s_firmware:2.02.0227:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "ndi_n3-s_firmware",
"vendor": "kiloview",
"versions": [
{
"status": "affected",
"version": "2.02.0227"
}
]
},
{
"cpes": [
"cpe:2.3:o:kiloview:ndi_n4_firmware:2.02.0227:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "ndi_n4_firmware",
"vendor": "kiloview",
"versions": [
{
"status": "affected",
"version": "2.02.0227"
}
]
},
{
"cpes": [
"cpe:2.3:o:kiloview:ndi_n20_firmware:2.02.0227:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "ndi_n20_firmware",
"vendor": "kiloview",
"versions": [
{
"status": "affected",
"version": "2.02.0227"
}
]
},
{
"cpes": [
"cpe:2.3:o:kiloview:ndi_n30_firmware:2.02.0227:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "ndi_n30_firmware",
"vendor": "kiloview",
"versions": [
{
"status": "affected",
"version": "2.02.0227"
}
]
},
{
"cpes": [
"cpe:2.3:o:kiloview:ndi_n40_firmware:2.02.0227:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "ndi_n40_firmware",
"vendor": "kiloview",
"versions": [
{
"status": "affected",
"version": "2.02.0227"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2162",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-28T19:04:38.388761Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-27T20:10:16.134Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "NDI",
"vendor": "Kiloview",
"versions": [
{
"status": "unaffected",
"version": "N3 Firmware 2.02.0227"
},
{
"status": "unaffected",
"version": "N3-s Firmware 2.02.0227"
},
{
"status": "unaffected",
"version": "N4 Firmware 2.02.0227"
},
{
"status": "unaffected",
"version": "N20 Firmware 2.02.0227"
},
{
"status": "unaffected",
"version": "N30 Firmware 2.02.0227"
},
{
"status": "unaffected",
"version": "N40 Firmware 2.02.0227"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Milan Duric, EBU"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An OS Command Injection vulnerability in Kiloview NDI allows a low-privileged user to execute arbitrary code remotely on the device with high privileges.\u003cp\u003e\u003c/p\u003e\u003cp\u003eThis issue affects Kiloview NDI N3, N3-s, N4, N20, N30, N40 and was fixed in Firmware version 2.02.0227 .\u003c/p\u003e\u003cp\u003e\u003c/p\u003e"
}
],
"value": "An OS Command Injection vulnerability in Kiloview NDI allows a low-privileged user to execute arbitrary code remotely on the device with high privileges.\n\nThis issue affects Kiloview NDI N3, N3-s, N4, N20, N30, N40 and was fixed in Firmware version 2.02.0227 .\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-21T06:00:35.823Z",
"orgId": "455daabc-a392-441d-aa46-37d35189897c",
"shortName": "NCSC.ch"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://www.kiloview.com/en/support/download/n3-for-ndi/"
},
{
"tags": [
"release-notes"
],
"url": "https://www.kiloview.com/en/support/download/n3-s-firmware-download/"
},
{
"tags": [
"release-notes"
],
"url": "https://www.kiloview.com/en/support/download/1779/"
},
{
"tags": [
"release-notes"
],
"url": "https://www.kiloview.com/en/support/download/n20-firmware-download/"
},
{
"tags": [
"release-notes"
],
"url": "https://www.kiloview.com/en/support/download/n30-for-ndi/"
},
{
"tags": [
"release-notes"
],
"url": "https://www.kiloview.com/en/support/download/n40/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Upgrade to the firmware 2.02.0227 or later\u003cbr\u003e"
}
],
"value": "Upgrade to the firmware 2.02.0227 or later\n"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Authenticated Remote Code Execution in Kiloview NDI N series products",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Restrict access to the \nmanagement interface of all affected Kiloview devices by applying strict firewall rules or other available means.\n\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "Restrict access to the \nmanagement interface of all affected Kiloview devices by applying strict firewall rules or other available means.\n\n"
}
],
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "455daabc-a392-441d-aa46-37d35189897c",
"assignerShortName": "NCSC.ch",
"cveId": "CVE-2024-2162",
"datePublished": "2024-03-21T06:00:35.823Z",
"dateReserved": "2024-03-04T13:18:32.464Z",
"dateUpdated": "2024-08-27T20:10:16.134Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-2161 (GCVE-0-2024-2161)
Vulnerability from cvelistv5 – Published: 2024-03-21 06:00 – Updated: 2024-08-02 15:06
VLAI?
Summary
Use of Hard-coded Credentials in Kiloview NDI allows un-authenticated users to bypass authenticationThis issue affects Kiloview NDI N3, N3-s, N4, N20, N30, N40 and was fixed in Firmware version 2.02.0227 .
Severity ?
9.8 (Critical)
CWE
- CWE-798 - Use of Hard-coded Credentials
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
Credits
Milan Duric, EBU
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:03:39.093Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"release-notes",
"x_transferred"
],
"url": "https://www.kiloview.com/en/support/download/n3-for-ndi/"
},
{
"tags": [
"release-notes",
"x_transferred"
],
"url": "https://www.kiloview.com/en/support/download/n3-s-firmware-download/"
},
{
"tags": [
"release-notes",
"x_transferred"
],
"url": "https://www.kiloview.com/en/support/download/1779/"
},
{
"tags": [
"release-notes",
"x_transferred"
],
"url": "https://www.kiloview.com/en/support/download/n20-firmware-download/"
},
{
"tags": [
"release-notes",
"x_transferred"
],
"url": "https://www.kiloview.com/en/support/download/n30-for-ndi/"
},
{
"tags": [
"release-notes",
"x_transferred"
],
"url": "https://www.kiloview.com/en/support/download/n40/"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:o:kiloview:ndi_n20_firmware:2.02.0227:*:*:*:*:*:*:*",
"cpe:2.3:o:kiloview:ndi_n30_firmware:2.02.0227:*:*:*:*:*:*:*",
"cpe:2.3:o:kiloview:ndi_n3_firmware:2.02.0227:*:*:*:*:*:*:*",
"cpe:2.3:o:kiloview:ndi_n3-s_firmware:2.02.0227:*:*:*:*:*:*:*",
"cpe:2.3:o:kiloview:ndi_n40_firmware:2.02.0227:*:*:*:*:*:*:*",
"cpe:2.3:o:kiloview:ndi_n4_firmware:2.02.0227:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"product": "ndi_n4_firmware",
"vendor": "kiloview",
"versions": [
{
"status": "affected",
"version": "2.02.0227"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2161",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-02T15:00:37.605387Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-02T15:06:30.673Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "NDI",
"vendor": "Kiloview",
"versions": [
{
"status": "unaffected",
"version": "N3 Firmware 2.02.0227"
},
{
"status": "unaffected",
"version": "N3-s Firmware 2.02.0227"
},
{
"status": "unaffected",
"version": "N4 Firmware 2.02.0227"
},
{
"status": "unaffected",
"version": "N20 Firmware 2.02.0227"
},
{
"status": "unaffected",
"version": "N30 Firmware 2.02.0227"
},
{
"status": "unaffected",
"version": "N40 Firmware 2.02.0227"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Milan Duric, EBU"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Use of Hard-coded Credentials in Kiloview NDI allows un-authenticated users to bypass authentication\u003cp\u003eThis issue affects\u0026nbsp;Kiloview NDI N3, N3-s, N4, N20, N30, N40 and was fixed in Firmware version\u0026nbsp;2.02.0227 .\u003c/p\u003e"
}
],
"value": "Use of Hard-coded Credentials in Kiloview NDI allows un-authenticated users to bypass authenticationThis issue affects\u00a0Kiloview NDI N3, N3-s, N4, N20, N30, N40 and was fixed in Firmware version\u00a02.02.0227 .\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-798",
"description": "CWE-798 Use of Hard-coded Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-21T06:00:17.957Z",
"orgId": "455daabc-a392-441d-aa46-37d35189897c",
"shortName": "NCSC.ch"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://www.kiloview.com/en/support/download/n3-for-ndi/"
},
{
"tags": [
"release-notes"
],
"url": "https://www.kiloview.com/en/support/download/n3-s-firmware-download/"
},
{
"tags": [
"release-notes"
],
"url": "https://www.kiloview.com/en/support/download/1779/"
},
{
"tags": [
"release-notes"
],
"url": "https://www.kiloview.com/en/support/download/n20-firmware-download/"
},
{
"tags": [
"release-notes"
],
"url": "https://www.kiloview.com/en/support/download/n30-for-ndi/"
},
{
"tags": [
"release-notes"
],
"url": "https://www.kiloview.com/en/support/download/n40/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Upgrade to the firmware 2.02.0227 or later\u003cbr\u003e"
}
],
"value": "Upgrade to the firmware 2.02.0227 or later\n"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Use of Hard-coded Credentials in Kiloview NDI N series products API middleware",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Restrict access to the \nmanagement interface of all affected Kiloview devices by applying strict firewall rules or other available means.\n\u003cbr\u003e"
}
],
"value": "Restrict access to the \nmanagement interface of all affected Kiloview devices by applying strict firewall rules or other available means.\n\n"
}
],
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "455daabc-a392-441d-aa46-37d35189897c",
"assignerShortName": "NCSC.ch",
"cveId": "CVE-2024-2161",
"datePublished": "2024-03-21T06:00:17.957Z",
"dateReserved": "2024-03-04T13:18:31.014Z",
"dateUpdated": "2024-08-02T15:06:30.673Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}