CVE-2021-40414

Published: Jan 28, 2022Modified: Nov 21, 2024

7.1

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

Exploitability: 2.8 / Impact: 4.2

Source: NVD

Description

An incorrect default permission vulnerability exists in the cgiserver.cgi cgi_check_ability functionality of reolink RLC-410W v3.0.0.136_20121102. The SetMdAlarm API sets the movement detection parameters, giving the ability to set the sensitivity of the camera per a range of hours, and which of the camera spaces to ignore when considering movement detection. Because in cgi_check_ability the SetMdAlarm API does not have a specific case, the user permission will default to 7. This will give non-administrative users the possibility to change the movement detection parameters.

Affected (1)

Products: Reolink: Rlc 410w Firmware

1 product

Rlc 410w Firmware

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Reolink Rlc 410w Firmware	Version 3.0.0.136_20121102

Running on/with	Platform Versions
Reolink Rlc 410w	All versions

Related CWEs

Incorrect Default Permissions

During installation, installed file permissions are set to allow anyone to modify those files.

Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

References (2)

https://talosintelligence.com/vulnerability_reports/TALOS-2021-1425

Source: talos-cna@cisco.com

ExploitTechnical DescriptionThird Party Advisory

https://talosintelligence.com/vulnerability_reports/TALOS-2021-1425

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitTechnical DescriptionThird Party Advisory

Timeline

No history available yet.