A privilege escalation vulnerability exists in the Web Interface functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted HTTP request can lead to execute priviledged operation. An attacker can visit a webpage to trigger this vulnerability.
The vulnerability results from improper authorization verification (CWE-266) in the device's web interface layer. An attacker authenticated as a user with low privilege level can send a specially crafted HTTP request that causes execution of operations reserved for the administrator. Exploiting the vulnerability only requires visiting an appropriately prepared page or sending a request to a specific web endpoint without requiring any interaction on the victim's side.
An attacker can gain full control of the device by performing privileged operations — which with a changed scope vector (Scope: Changed) can result in compromising the confidentiality, integrity and availability of both the device itself and systems associated with it.
Apply patches available from the manufacturer in accordance with the references (https://www.geovision.com.tw/cyber_security.php). Additionally, it is recommended to restrict access to the web interface of devices exclusively to trusted networks and implement multi-factor authentication mechanisms where possible.
GeoVision GV-LPC2011 and GV-LPC2211 with firmware version 1.10
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HGeovision Gv Lpc2011
HWGeovisionwszystkie wersjeGeovision Gv Lpc2011 Firmware
OSGeovision1.10Geovision Gv Lpc2211
HWGeovisionwszystkie wersjeGeovision Gv Lpc2211 Firmware
OSGeovision1.10
Related vulnerabilities
Command injection w GeoVision LPC2011/LPC2211 via konfiguracja DDNS
A guessable session cookie vulnerability exists in the Web Interface functionality of GeoVision LPC2011/LPC221...
Multiple reflected cross-site scripting (xss) vulnerabilities exist in the Web Interface / ssi.cgi functionali...
Multiple reflected cross-site scripting (xss) vulnerabilities exist in the Web Interface / ssi.cgi functionali...
A privilege escalation vulnerability exists in the Web Interface / ssi.cgi functionality of GeoVision LPC2011/...