CVE-2020-22002

Published: Apr 29, 2021Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

An Unauthenticated Server-Side Request Forgery (SSRF) vulnerability exists in Inim Electronics Smartliving SmartLAN/G/SI <=6.x within the GetImage functionality. The application parses user supplied data in the GET parameter 'host' to construct an image request to the service through onvif.cgi. Since no validation is carried out on the parameter, an attacker can specify an external domain and force the application to make an HTTP request to an arbitrary destination host.

Affected (6)

Products: Inim: Smartliving 505 Firmware, Smartliving 515 Firmware, Smartliving 1050 Firmware, Smartliving 1050g3 Firmware, Smartliving 10100l Firmware, Smartliving 10100lg3 Firmware

Inim

6 products

Smartliving 505 Firmware

Smartliving 515 Firmware

Smartliving 1050 Firmware

Smartliving 1050g3 Firmware

Smartliving 10100l Firmware

Smartliving 10100lg3 Firmware

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Inim Smartliving 505 Firmware	All versions

Running on/with	Platform Versions
Inim Smartliving 505	All versions

Configuration B

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Inim Smartliving 515 Firmware	All versions

Running on/with	Platform Versions
Inim Smartliving 515	All versions

Configuration C

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Inim Smartliving 1050 Firmware	All versions

Running on/with	Platform Versions
Inim Smartliving 1050	All versions

Configuration D

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Inim Smartliving 1050g3 Firmware	All versions

Running on/with	Platform Versions
Inim Smartliving 1050g3	All versions

Configuration E

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Inim Smartliving 10100l Firmware	All versions

Running on/with	Platform Versions
Inim Smartliving 10100l	All versions

Configuration F

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Inim Smartliving 10100lg3 Firmware	All versions

Running on/with	Platform Versions
Inim Smartliving 10100lg3	All versions

Related CWEs

CWE-918

Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

References (4)

https://exchange.xforce.ibmcloud.com/vulnerabilities/172839

Source: cve@mitre.org

Third Party AdvisoryVDB Entry

https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5545.php

Source: cve@mitre.org

ExploitThird Party Advisory

https://exchange.xforce.ibmcloud.com/vulnerabilities/172839

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryVDB Entry

https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5545.php

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.