PTZOptics PT30X-SDI/NDI-xx before firmware 6.3.40 is vulnerable to an insufficient authentication issue. The camera does not properly enforce authentication to /cgi-bin/param.cgi when requests are sent without an HTTP Authorization header. The result is a remote and unauthenticated attacker can leak sensitive data such as usernames, password hashes, and configurations details. Additionally, the attacker can update individual configuration values or overwrite the whole file.
References
Link | Resource |
---|---|
https://ptzoptics.com/firmware-changelog/ | Release Notes |
https://vulncheck.com/advisories/ptzoptics-insufficient-auth | Third Party Advisory |
Configurations
History
01 Oct 2024, 16:01
Type | Values Removed | Values Added |
---|---|---|
References | () https://ptzoptics.com/firmware-changelog/ - Release Notes | |
References | () https://vulncheck.com/advisories/ptzoptics-insufficient-auth - Third Party Advisory | |
CPE | cpe:2.3:o:ptzoptics:pt30x-ndi-xx-g2_firmware:*:*:*:*:*:*:*:* cpe:2.3:h:ptzoptics:pt30x-ndi-xx-g2:-:*:*:*:*:*:*:* cpe:2.3:h:ptzoptics:pt30x-sdi:-:*:*:*:*:*:*:* cpe:2.3:o:ptzoptics:pt30x-sdi_firmware:*:*:*:*:*:*:*:* |
|
First Time |
Ptzoptics pt30x-ndi-xx-g2 Firmware
Ptzoptics pt30x-sdi Firmware Ptzoptics Ptzoptics pt30x-sdi Ptzoptics pt30x-ndi-xx-g2 |
20 Sep 2024, 12:30
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
17 Sep 2024, 20:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-09-17 20:15
Updated : 2024-11-05 02:00
NVD link : CVE-2024-8956
Mitre link : CVE-2024-8956
CVE.ORG link : CVE-2024-8956
JSON object : View
Products Affected
ptzoptics
- pt30x-sdi
- pt30x-sdi_firmware
- pt30x-ndi-xx-g2
- pt30x-ndi-xx-g2_firmware
CWE
CWE-287
Improper Authentication