Vulnerability-Lookup

CVE-2020-11681 (GCVE-0-2020-11681)

Vulnerability from cvelistv5 – Published: 2020-06-04 18:40 – Updated: 2024-08-04 11:35

Summary

Severity

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CWE

Assigner

mitre

References

3 references

URL	Tags
https://www.securitymetrics.com/blog/attackers-kn…	x_refsource_MISC
http://seclists.org/fulldisclosure/2020/Jun/8	mailing-listx_refsource_FULLDISC
http://packetstormsecurity.com/files/157954/Caste…	x_refsource_MISC

Date Public

2020-06-03 00:00

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T11:35:13.559Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.securitymetrics.com/blog/attackers-known-unknown-authorization-bypass"
          },
          {
            "name": "20200605 Castel NextGen DVR multiple CVEs",
            "tags": [
              "mailing-list",
              "x_refsource_FULLDISC",
              "x_transferred"
            ],
            "url": "http://seclists.org/fulldisclosure/2020/Jun/8"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/157954/Castel-NextGen-DVR-1.0.0-Bypass-CSRF-Disclosure.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2020-06-03T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Castel NextGen DVR v1.0.0 stores and displays credentials for the associated SMTP server in cleartext. Low privileged users can exploit this to create an administrator user and obtain the SMTP credentials."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-06-05T19:06:05.000Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.securitymetrics.com/blog/attackers-known-unknown-authorization-bypass"
        },
        {
          "name": "20200605 Castel NextGen DVR multiple CVEs",
          "tags": [
            "mailing-list",
            "x_refsource_FULLDISC"
          ],
          "url": "http://seclists.org/fulldisclosure/2020/Jun/8"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://packetstormsecurity.com/files/157954/Castel-NextGen-DVR-1.0.0-Bypass-CSRF-Disclosure.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2020-11681",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Castel NextGen DVR v1.0.0 stores and displays credentials for the associated SMTP server in cleartext. Low privileged users can exploit this to create an administrator user and obtain the SMTP credentials."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.securitymetrics.com/blog/attackers-known-unknown-authorization-bypass",
              "refsource": "MISC",
              "url": "https://www.securitymetrics.com/blog/attackers-known-unknown-authorization-bypass"
            },
            {
              "name": "20200605 Castel NextGen DVR multiple CVEs",
              "refsource": "FULLDISC",
              "url": "http://seclists.org/fulldisclosure/2020/Jun/8"
            },
            {
              "name": "http://packetstormsecurity.com/files/157954/Castel-NextGen-DVR-1.0.0-Bypass-CSRF-Disclosure.html",
              "refsource": "MISC",
              "url": "http://packetstormsecurity.com/files/157954/Castel-NextGen-DVR-1.0.0-Bypass-CSRF-Disclosure.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2020-11681",
    "datePublished": "2020-06-04T18:40:52.000Z",
    "dateReserved": "2020-04-10T00:00:00.000Z",
    "dateUpdated": "2024-08-04T11:35:13.559Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2020-11681",
      "date": "2026-06-14",
      "epss": "0.00258",
      "percentile": "0.4964"
    },
    "fkie_nvd": {
      "configurations": "[{\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:castel:nextgen_dvr_firmware:1.0.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"B8F4BE34-AC2F-4FE9-BDDE-C9E88FA59A0A\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:castel:nextgen_dvr:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"A3513CE5-CB6F-43C0-B37A-D135C027310B\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Castel NextGen DVR v1.0.0 stores and displays credentials for the associated SMTP server in cleartext. Low privileged users can exploit this to create an administrator user and obtain the SMTP credentials.\"}, {\"lang\": \"es\", \"value\": \"Castel NextGen DVR versi\\u00f3n v1.0.0, almacena y muestra las credenciales para el servidor SMTP asociado en texto sin cifrar. Los usuarios poco privilegiados pueden explotar esto para crear un usuario administrador y obtener las credenciales SMTP\"}]",
      "id": "CVE-2020-11681",
      "lastModified": "2024-11-21T04:58:23.323",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N\", \"baseScore\": 8.1, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 5.2}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:S/C:N/I:P/A:N\", \"baseScore\": 4.0, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"SINGLE\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.0, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2020-06-04T19:15:12.850",
      "references": "[{\"url\": \"http://packetstormsecurity.com/files/157954/Castel-NextGen-DVR-1.0.0-Bypass-CSRF-Disclosure.html\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"http://seclists.org/fulldisclosure/2020/Jun/8\", \"source\": \"cve@mitre.org\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://www.securitymetrics.com/blog/attackers-known-unknown-authorization-bypass\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"http://packetstormsecurity.com/files/157954/Castel-NextGen-DVR-1.0.0-Bypass-CSRF-Disclosure.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"http://seclists.org/fulldisclosure/2020/Jun/8\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://www.securitymetrics.com/blog/attackers-known-unknown-authorization-bypass\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}]",
      "sourceIdentifier": "cve@mitre.org",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-522\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2020-11681\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2020-06-04T19:15:12.850\",\"lastModified\":\"2024-11-21T04:58:23.323\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Castel NextGen DVR v1.0.0 stores and displays credentials for the associated SMTP server in cleartext. Low privileged users can exploit this to create an administrator user and obtain the SMTP credentials.\"},{\"lang\":\"es\",\"value\":\"Castel NextGen DVR versi\u00f3n v1.0.0, almacena y muestra las credenciales para el servidor SMTP asociado en texto sin cifrar. Los usuarios poco privilegiados pueden explotar esto para crear un usuario administrador y obtener las credenciales SMTP\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":5.2}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:S/C:N/I:P/A:N\",\"baseScore\":4.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-522\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:castel:nextgen_dvr_firmware:1.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B8F4BE34-AC2F-4FE9-BDDE-C9E88FA59A0A\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:castel:nextgen_dvr:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A3513CE5-CB6F-43C0-B37A-D135C027310B\"}]}]}],\"references\":[{\"url\":\"http://packetstormsecurity.com/files/157954/Castel-NextGen-DVR-1.0.0-Bypass-CSRF-Disclosure.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://seclists.org/fulldisclosure/2020/Jun/8\",\"source\":\"cve@mitre.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://www.securitymetrics.com/blog/attackers-known-unknown-authorization-bypass\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://packetstormsecurity.com/files/157954/Castel-NextGen-DVR-1.0.0-Bypass-CSRF-Disclosure.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://seclists.org/fulldisclosure/2020/Jun/8\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://www.securitymetrics.com/blog/attackers-known-unknown-authorization-bypass\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}"
  }
}

CNVD-2021-24900

Vulnerability from cnvd - Published: 2021-04-04

Title

Castel NextGen DVR管理员创建漏洞

Description

Castel NextGen DVR是一款网络视频设备。 Castel NextGen DVR存在安全漏洞，允许远程攻击者可以利用漏洞提交特殊的请求，可创建管理员用户或获取SMTP验证凭据。

Severity

中

Patch Name

Castel NextGen DVR管理员创建漏洞的补丁

Patch Description

Castel NextGen DVR是一款网络视频设备。 Castel NextGen DVR存在安全漏洞，允许远程攻击者可以利用漏洞提交特殊的请求，可创建管理员用户或获取SMTP验证凭据。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

用户可参考如下厂商提供的安全补丁以修复该漏洞： https://www.castel.com/

Reference

https://packetstormsecurity.com/files/157954/Castel-NextGen-DVR-1.0.0-Bypass-CSRF-Disclosure.html

Impacted products

Name
Castel NextGen DVR 1.0.0

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-11681"
    }
  },
  "description": "Castel NextGen DVR\u662f\u4e00\u6b3e\u7f51\u7edc\u89c6\u9891\u8bbe\u5907\u3002\n\nCastel NextGen DVR\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u5141\u8bb8\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528\u6f0f\u6d1e\u63d0\u4ea4\u7279\u6b8a\u7684\u8bf7\u6c42\uff0c\u53ef\u521b\u5efa\u7ba1\u7406\u5458\u7528\u6237\u6216\u83b7\u53d6SMTP\u9a8c\u8bc1\u51ed\u636e\u3002",
  "formalWay": "\u7528\u6237\u53ef\u53c2\u8003\u5982\u4e0b\u5382\u5546\u63d0\u4f9b\u7684\u5b89\u5168\u8865\u4e01\u4ee5\u4fee\u590d\u8be5\u6f0f\u6d1e\uff1a\r\nhttps://www.castel.com/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-24900",
  "openTime": "2021-04-04",
  "patchDescription": "Castel NextGen DVR\u662f\u4e00\u6b3e\u7f51\u7edc\u89c6\u9891\u8bbe\u5907\u3002\r\n\r\nCastel NextGen DVR\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u5141\u8bb8\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528\u6f0f\u6d1e\u63d0\u4ea4\u7279\u6b8a\u7684\u8bf7\u6c42\uff0c\u53ef\u521b\u5efa\u7ba1\u7406\u5458\u7528\u6237\u6216\u83b7\u53d6SMTP\u9a8c\u8bc1\u51ed\u636e\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Castel NextGen DVR\u7ba1\u7406\u5458\u521b\u5efa\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Castel NextGen DVR 1.0.0"
  },
  "referenceLink": "https://packetstormsecurity.com/files/157954/Castel-NextGen-DVR-1.0.0-Bypass-CSRF-Disclosure.html",
  "serverity": "\u4e2d",
  "submitTime": "2020-06-05",
  "title": "Castel NextGen DVR\u7ba1\u7406\u5458\u521b\u5efa\u6f0f\u6d1e"
}

FKIE_CVE-2020-11681

Vulnerability from fkie_nvd - Published: 2020-06-04 19:15 - Updated: 2024-11-21 04:58

Severity

8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Summary

References

URL	Tags
cve@mitre.org	http://packetstormsecurity.com/files/157954/Castel-NextGen-DVR-1.0.0-Bypass-CSRF-Disclosure.html	Third Party Advisory
cve@mitre.org	http://seclists.org/fulldisclosure/2020/Jun/8	Mailing List, Third Party Advisory
cve@mitre.org	https://www.securitymetrics.com/blog/attackers-known-unknown-authorization-bypass	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://packetstormsecurity.com/files/157954/Castel-NextGen-DVR-1.0.0-Bypass-CSRF-Disclosure.html	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://seclists.org/fulldisclosure/2020/Jun/8	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.securitymetrics.com/blog/attackers-known-unknown-authorization-bypass	Third Party Advisory

Impacted products

	Vendor	Product	Version
	castel	nextgen_dvr_firmware	1.0.0
	castel	nextgen_dvr	-

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:castel:nextgen_dvr_firmware:1.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "B8F4BE34-AC2F-4FE9-BDDE-C9E88FA59A0A",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:castel:nextgen_dvr:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "A3513CE5-CB6F-43C0-B37A-D135C027310B",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Castel NextGen DVR v1.0.0 stores and displays credentials for the associated SMTP server in cleartext. Low privileged users can exploit this to create an administrator user and obtain the SMTP credentials."
    },
    {
      "lang": "es",
      "value": "Castel NextGen DVR versi\u00f3n v1.0.0, almacena y muestra las credenciales para el servidor SMTP asociado en texto sin cifrar. Los usuarios poco privilegiados pueden explotar esto para crear un usuario administrador y obtener las credenciales SMTP"
    }
  ],
  "id": "CVE-2020-11681",
  "lastModified": "2024-11-21T04:58:23.323",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "NONE",
          "baseScore": 4.0,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 8.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.2,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2020-06-04T19:15:12.850",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "http://packetstormsecurity.com/files/157954/Castel-NextGen-DVR-1.0.0-Bypass-CSRF-Disclosure.html"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://seclists.org/fulldisclosure/2020/Jun/8"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.securitymetrics.com/blog/attackers-known-unknown-authorization-bypass"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "http://packetstormsecurity.com/files/157954/Castel-NextGen-DVR-1.0.0-Bypass-CSRF-Disclosure.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://seclists.org/fulldisclosure/2020/Jun/8"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.securitymetrics.com/blog/attackers-known-unknown-authorization-bypass"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-522"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GHSA-P6QR-X996-PVWX

Vulnerability from github – Published: 2022-05-24 17:19 – Updated: 2022-05-24 17:19

Details

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2020-11681"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-06-04T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Castel NextGen DVR v1.0.0 stores and displays credentials for the associated SMTP server in cleartext. Low privileged users can exploit this to create an administrator user and obtain the SMTP credentials.",
  "id": "GHSA-p6qr-x996-pvwx",
  "modified": "2022-05-24T17:19:16Z",
  "published": "2022-05-24T17:19:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11681"
    },
    {
      "type": "WEB",
      "url": "https://www.securitymetrics.com/blog/attackers-known-unknown-authorization-bypass"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/157954/Castel-NextGen-DVR-1.0.0-Bypass-CSRF-Disclosure.html"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2020/Jun/8"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GSD-2020-11681

Vulnerability from gsd - Updated: 2023-12-13 01:22

Details

Aliases

CVE-2020-11681

Aliases

CVE-2020-11681

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2020-11681",
    "description": "Castel NextGen DVR v1.0.0 stores and displays credentials for the associated SMTP server in cleartext. Low privileged users can exploit this to create an administrator user and obtain the SMTP credentials.",
    "id": "GSD-2020-11681",
    "references": [
      "https://packetstormsecurity.com/files/cve/CVE-2020-11681"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2020-11681"
      ],
      "details": "Castel NextGen DVR v1.0.0 stores and displays credentials for the associated SMTP server in cleartext. Low privileged users can exploit this to create an administrator user and obtain the SMTP credentials.",
      "id": "GSD-2020-11681",
      "modified": "2023-12-13T01:22:07.991807Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2020-11681",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Castel NextGen DVR v1.0.0 stores and displays credentials for the associated SMTP server in cleartext. Low privileged users can exploit this to create an administrator user and obtain the SMTP credentials."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://www.securitymetrics.com/blog/attackers-known-unknown-authorization-bypass",
            "refsource": "MISC",
            "url": "https://www.securitymetrics.com/blog/attackers-known-unknown-authorization-bypass"
          },
          {
            "name": "20200605 Castel NextGen DVR multiple CVEs",
            "refsource": "FULLDISC",
            "url": "http://seclists.org/fulldisclosure/2020/Jun/8"
          },
          {
            "name": "http://packetstormsecurity.com/files/157954/Castel-NextGen-DVR-1.0.0-Bypass-CSRF-Disclosure.html",
            "refsource": "MISC",
            "url": "http://packetstormsecurity.com/files/157954/Castel-NextGen-DVR-1.0.0-Bypass-CSRF-Disclosure.html"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:castel:nextgen_dvr_firmware:1.0.0:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:castel:nextgen_dvr:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2020-11681"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Castel NextGen DVR v1.0.0 stores and displays credentials for the associated SMTP server in cleartext. Low privileged users can exploit this to create an administrator user and obtain the SMTP credentials."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-522"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.securitymetrics.com/blog/attackers-known-unknown-authorization-bypass",
              "refsource": "MISC",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://www.securitymetrics.com/blog/attackers-known-unknown-authorization-bypass"
            },
            {
              "name": "20200605 Castel NextGen DVR multiple CVEs",
              "refsource": "FULLDISC",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "http://seclists.org/fulldisclosure/2020/Jun/8"
            },
            {
              "name": "http://packetstormsecurity.com/files/157954/Castel-NextGen-DVR-1.0.0-Bypass-CSRF-Disclosure.html",
              "refsource": "MISC",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "http://packetstormsecurity.com/files/157954/Castel-NextGen-DVR-1.0.0-Bypass-CSRF-Disclosure.html"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "NONE",
            "baseScore": 4.0,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 8.0,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 5.2
        }
      },
      "lastModifiedDate": "2020-06-10T17:31Z",
      "publishedDate": "2020-06-04T19:15Z"
    }
  }
}

VAR-202006-0044

Vulnerability from variot - Updated: 2023-12-18 12:27

Castel NextGen DVR v1.0.0 stores and displays credentials for the associated SMTP server in cleartext. Low privileged users can exploit this to create an administrator user and obtain the SMTP credentials. Castel NextGen DVR Exists in an inadequate protection of credentials.Information may be obtained or tampered with. All issues are associated with Castel NextGen DVR v1.0.0 and have been resolved in v1.0.1.

CVE-2020-11679 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11679

Original Disclosure https://www.securitymetrics.com/blog/attackers-known-unknown-authorization-bypass

Description A low privileged user can call functionality reserved for an Administrator which promotes a low privileged account to the Administrator role:

POST /Administration/Users/Edit/:ID HTTP/1.1

Host: $RHOST User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: $REVIEWER_COOKIES DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 349

UserId=:ID&Email=bypass%40test.com &FirstName=bypass&LastName=bypass&LDAPUser=false

&Roles%5B0%5D.RoleId=1&Roles%5B0%5D.IsSelected=true&Roles%5B0%5D.IsSelected=false

&Roles%5B1%5D.RoleId=3&Roles%5B1%5D.IsSelected=true&Roles%5B1%5D.IsSelected=false

&Roles%5B2%5D.RoleId=5&Roles%5B2%5D.IsSelected=true&Roles%5B2%5D.IsSelected=false &Locked=false

CVE-2020-11680 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11680

Original Disclosure https://www.securitymetrics.com/blog/attackers-known-unknown-authorization-bypass

Description The application does not perform an authorization check before functionality is performed. Low privileged users are prevented from browsing to pages that perform Administrator functionality using GET, however, functionality can be performed by directly crafting the associated POST request. This can be exploited to modify user accounts, modify the application, etc. Combined with the reported CSRF, CVE-2020-11682, any user of the application can be used to grant Administrator access to a malicious user.

CVE-2020-11681 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11681

Original Disclosure https://www.securitymetrics.com/blog/attackers-known-unknown-authorization-bypass

Description Credentials are returned in cleartext in the source of the SMTP page. If a malicious user compromises an account. or exploits the CSRF to gain access to the application, the associated SMTP server/account could also be compromised.

CVE-2020-11682 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11682

Original Disclosure https://www.securitymetrics.com/blog/where-did-request-come-from-cross-site-request-forgery-csrf

Description The application does not properly prevent CSRF; the __RequestVerificationToken, which is included with state changing requests, is not verified by the application - requests are successful even when the token is removed.

AARON BISHOP | Principal Penetration Tester CISSP, OSCP, OSWE [image: SecurityMetrics]

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-202006-0044",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "nextgen dvr",
        "scope": "eq",
        "trust": 2.4,
        "vendor": "castel",
        "version": "1.0.0"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2021-24900"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-006192"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-11681"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:castel:nextgen_dvr_firmware:1.0.0:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:castel:nextgen_dvr:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2020-11681"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Aaron Bishop",
    "sources": [
      {
        "db": "PACKETSTORM",
        "id": "157954"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202006-503"
      }
    ],
    "trust": 0.7
  },
  "cve": "CVE-2020-11681",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "acInsufInfo": false,
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "author": "NVD",
            "availabilityImpact": "NONE",
            "baseScore": 4.0,
            "confidentialityImpact": "NONE",
            "exploitabilityScore": 8.0,
            "impactScore": 2.9,
            "integrityImpact": "PARTIAL",
            "obtainAllPrivilege": false,
            "obtainOtherPrivilege": false,
            "obtainUserPrivilege": false,
            "severity": "MEDIUM",
            "trust": 1.0,
            "userInteractionRequired": false,
            "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
            "version": "2.0"
          },
          {
            "acInsufInfo": null,
            "accessComplexity": "Low",
            "accessVector": "Network",
            "authentication": "Single",
            "author": "NVD",
            "availabilityImpact": "None",
            "baseScore": 4.0,
            "confidentialityImpact": "None",
            "exploitabilityScore": null,
            "id": "JVNDB-2020-006192",
            "impactScore": null,
            "integrityImpact": "Partial",
            "obtainAllPrivilege": null,
            "obtainOtherPrivilege": null,
            "obtainUserPrivilege": null,
            "severity": "Medium",
            "trust": 0.8,
            "userInteractionRequired": null,
            "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
            "version": "2.0"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "author": "CNVD",
            "availabilityImpact": "NONE",
            "baseScore": 4.0,
            "confidentialityImpact": "NONE",
            "exploitabilityScore": 8.0,
            "id": "CNVD-2021-24900",
            "impactScore": 2.9,
            "integrityImpact": "PARTIAL",
            "severity": "MEDIUM",
            "trust": 0.6,
            "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
            "version": "2.0"
          }
        ],
        "cvssV3": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "author": "NVD",
            "availabilityImpact": "NONE",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "exploitabilityScore": 2.8,
            "impactScore": 5.2,
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "trust": 1.0,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          {
            "attackComplexity": "Low",
            "attackVector": "Network",
            "author": "NVD",
            "availabilityImpact": "None",
            "baseScore": 8.1,
            "baseSeverity": "High",
            "confidentialityImpact": "High",
            "exploitabilityScore": null,
            "id": "JVNDB-2020-006192",
            "impactScore": null,
            "integrityImpact": "High",
            "privilegesRequired": "Low",
            "scope": "Unchanged",
            "trust": 0.8,
            "userInteraction": "None",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.0"
          }
        ],
        "severity": [
          {
            "author": "NVD",
            "id": "CVE-2020-11681",
            "trust": 1.0,
            "value": "HIGH"
          },
          {
            "author": "NVD",
            "id": "JVNDB-2020-006192",
            "trust": 0.8,
            "value": "High"
          },
          {
            "author": "CNVD",
            "id": "CNVD-2021-24900",
            "trust": 0.6,
            "value": "MEDIUM"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-202006-503",
            "trust": 0.6,
            "value": "HIGH"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2021-24900"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-006192"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-11681"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202006-503"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Castel NextGen DVR v1.0.0 stores and displays credentials for the associated SMTP server in cleartext. Low privileged users can exploit this to create an administrator user and obtain the SMTP credentials. Castel NextGen DVR Exists in an inadequate protection of credentials.Information may be obtained or tampered with. All issues are associated with *Castel NextGen DVR v1.0.0 *and have been\nresolved in v1.0.1*.*\n\n-------------------------------\n*CVE-2020-11679\n\u003chttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11679\u003e*\n\n\n*Original Disclosure*\nhttps://www.securitymetrics.com/blog/attackers-known-unknown-authorization-bypass\n\n*Description*\nA low privileged user can call functionality reserved for an Administrator\nwhich promotes a low privileged account to the Administrator role:\n\nPOST /Administration/Users/Edit/:ID HTTP/1.1\n\u003e Host: $RHOST\n\u003e User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101\n\u003e Firefox/52.0\n\u003e Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\n\u003e Accept-Language: en-US,en;q=0.5\n\u003e Accept-Encoding: gzip, deflate\n\u003e Cookie: $REVIEWER_COOKIES\n\u003e DNT: 1\n\u003e Connection: close\n\u003e Upgrade-Insecure-Requests: 1\n\u003e Content-Type: application/x-www-form-urlencoded\n\u003e Content-Length: 349\n\n\n\u003e UserId=:ID\u0026Email=bypass%40test.com\n\u003e \u0026FirstName=bypass\u0026LastName=bypass\u0026LDAPUser=false\n\u003e\n\u003e \u0026Roles%5B0%5D.RoleId=1\u0026Roles%5B0%5D.IsSelected=true\u0026Roles%5B0%5D.IsSelected=false\n\u003e\n\u003e \u0026Roles%5B1%5D.RoleId=3\u0026Roles%5B1%5D.IsSelected=true\u0026Roles%5B1%5D.IsSelected=false\n\u003e\n\u003e \u0026Roles%5B2%5D.RoleId=5\u0026Roles%5B2%5D.IsSelected=true\u0026Roles%5B2%5D.IsSelected=false\n\u003e \u0026Locked=false\n\n-------------------------------\n*CVE-2020-11680\n\u003chttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11680\u003e*\n\n*Original Disclosure*\nhttps://www.securitymetrics.com/blog/attackers-known-unknown-authorization-bypass\n\n*Description*\nThe application does not perform an authorization check before\nfunctionality is performed.  Low privileged users are prevented from\nbrowsing to pages that perform Administrator functionality using GET,\nhowever, functionality can be performed by directly crafting the associated\nPOST request.   This can be exploited to modify user accounts, modify the\napplication, etc.  Combined with the reported CSRF, CVE-2020-11682, any\nuser of the application can be used to grant Administrator access to a\nmalicious user. \n-------------------------------\n*CVE-2020-11681\n\u003chttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11681\u003e*\n\n*Original Disclosure*\nhttps://www.securitymetrics.com/blog/attackers-known-unknown-authorization-bypass\n\n*Description*\nCredentials are returned in cleartext in the source of the SMTP page.  If a\nmalicious user compromises an account. or exploits the CSRF to gain access\nto the application,  the associated SMTP server/account could also be\ncompromised. \n-------------------------------\n*CVE-2020-11682\n\u003chttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11682\u003e*\n\n*Original Disclosure*\nhttps://www.securitymetrics.com/blog/where-did-request-come-from-cross-site-request-forgery-csrf\n\n*Description*\nThe application does not properly prevent CSRF; the\n__RequestVerificationToken, which is included with state changing requests,\nis not verified by the application - requests are successful even when the\ntoken is removed. \n\nAARON BISHOP | Principal Penetration Tester CISSP, OSCP, OSWE [image:\nSecurityMetrics]\n\n\n",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2020-11681"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-006192"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2021-24900"
      },
      {
        "db": "PACKETSTORM",
        "id": "157954"
      }
    ],
    "trust": 2.25
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2020-11681",
        "trust": 3.1
      },
      {
        "db": "PACKETSTORM",
        "id": "157954",
        "trust": 3.1
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-006192",
        "trust": 0.8
      },
      {
        "db": "CNVD",
        "id": "CNVD-2021-24900",
        "trust": 0.6
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202006-503",
        "trust": 0.6
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2021-24900"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-006192"
      },
      {
        "db": "PACKETSTORM",
        "id": "157954"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-11681"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202006-503"
      }
    ]
  },
  "id": "VAR-202006-0044",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2021-24900"
      }
    ],
    "trust": 1.2666667
  },
  "iot_taxonomy": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "category": [
          "IoT"
        ],
        "sub_category": null,
        "trust": 0.6
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2021-24900"
      }
    ]
  },
  "last_update_date": "2023-12-18T12:27:28.607000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "Digital Video Recorder (DVR)",
        "trust": 0.8,
        "url": "http://castle-cctv.kr/digital-video-recorder-dvr/"
      },
      {
        "title": "Patch for Castel NextGen DVR administrator creates vulnerability",
        "trust": 0.6,
        "url": "https://www.cnvd.org.cn/patchinfo/show/255921"
      },
      {
        "title": "Castel NextGen DVR Security vulnerabilities",
        "trust": 0.6,
        "url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=121160"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2021-24900"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-006192"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202006-503"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-522",
        "trust": 1.8
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-006192"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-11681"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 3.6,
        "url": "http://packetstormsecurity.com/files/157954/castel-nextgen-dvr-1.0.0-bypass-csrf-disclosure.html"
      },
      {
        "trust": 1.7,
        "url": "https://www.securitymetrics.com/blog/attackers-known-unknown-authorization-bypass"
      },
      {
        "trust": 1.6,
        "url": "http://seclists.org/fulldisclosure/2020/jun/8"
      },
      {
        "trust": 1.5,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2020-11681"
      },
      {
        "trust": 0.8,
        "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-11681"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2020-11680"
      },
      {
        "trust": 0.1,
        "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-11679\u003e*"
      },
      {
        "trust": 0.1,
        "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-11681\u003e*"
      },
      {
        "trust": 0.1,
        "url": "https://www.securitymetrics.com/blog/where-did-request-come-from-cross-site-request-forgery-csrf"
      },
      {
        "trust": 0.1,
        "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-11680\u003e*"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2020-11679"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2020-11682"
      },
      {
        "trust": 0.1,
        "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-11682\u003e*"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2021-24900"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-006192"
      },
      {
        "db": "PACKETSTORM",
        "id": "157954"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-11681"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202006-503"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "CNVD",
        "id": "CNVD-2021-24900"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-006192"
      },
      {
        "db": "PACKETSTORM",
        "id": "157954"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-11681"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202006-503"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2021-04-04T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2021-24900"
      },
      {
        "date": "2020-07-02T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2020-006192"
      },
      {
        "date": "2020-06-05T18:19:24",
        "db": "PACKETSTORM",
        "id": "157954"
      },
      {
        "date": "2020-06-04T19:15:12.850000",
        "db": "NVD",
        "id": "CVE-2020-11681"
      },
      {
        "date": "2020-06-04T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-202006-503"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2021-04-04T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2021-24900"
      },
      {
        "date": "2020-07-02T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2020-006192"
      },
      {
        "date": "2020-06-10T17:31:33.467000",
        "db": "NVD",
        "id": "CVE-2020-11681"
      },
      {
        "date": "2021-01-04T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-202006-503"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "remote",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202006-503"
      }
    ],
    "trust": 0.6
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Castel NextGen DVR Vulnerability regarding inadequate protection of credentials in",
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-006192"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "other",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202006-503"
      }
    ],
    "trust": 0.6
  }
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2020-11681 (GCVE-0-2020-11681)

CNVD-2021-24900

FKIE_CVE-2020-11681

GHSA-P6QR-X996-PVWX

GSD-2020-11681

VAR-202006-0044

Tags

Sightings

Nomenclature