Vulnerabilities (CVE)

Filtered by vendor Inim Subscribe
Total 3 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2020-22002 1 Inim 12 Smartliving 10100l, Smartliving 10100l Firmware, Smartliving 10100lg3 and 9 more 2024-11-21 5.0 MEDIUM 7.5 HIGH
An Unauthenticated Server-Side Request Forgery (SSRF) vulnerability exists in Inim Electronics Smartliving SmartLAN/G/SI <=6.x within the GetImage functionality. The application parses user supplied data in the GET parameter 'host' to construct an image request to the service through onvif.cgi. Since no validation is carried out on the parameter, an attacker can specify an external domain and force the application to make an HTTP request to an arbitrary destination host.
CVE-2020-21995 1 Inim 12 Smartliving 10100l, Smartliving 10100l Firmware, Smartliving 10100lg3 and 9 more 2024-11-21 7.5 HIGH 9.8 CRITICAL
Inim Electronics Smartliving SmartLAN/G/SI <=6.x uses default hardcoded credentials. An attacker could exploit this to gain Telnet, SSH and FTP access to the system.
CVE-2020-21992 1 Inim 12 Smartliving 10100l, Smartliving 10100l Firmware, Smartliving 10100lg3 and 9 more 2024-11-21 9.0 HIGH 8.8 HIGH
Inim Electronics SmartLiving SmartLAN/G/SI <=6.x suffers from an authenticated remote command injection vulnerability. The issue exist due to the 'par' POST parameter not being sanitized when called with the 'testemail' module through web.cgi binary. The vulnerable CGI binary (ELF 32-bit LSB executable, ARM) is calling the 'sh' executable via the system() function to issue a command using the mailx service and its vulnerable string format parameter allowing for OS command injection with root privileges. An attacker can remotely execute system commands as the root user using default credentials and bypass access controls in place.