Vendor CVEs
Geovision
All CVEs
44 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-4606 | Cri | 0.65 | — | 0.00 | Mar 23, 2026 | GV Edge Recording Manager (ERM) v2.3.1 improperly runs application components with SYSTEM-level privileges, allowing any local user to gain full control of the operating system. During installation, ERM creates a Windows service that runs under the LocalSystem account. … | ||
| CVE-2018-25118 | Cri | 0.65 | — | 0.01 | Oct 20, 2025 | GeoVision embedded IP devices, confirmed on GV-BX1500 and GV-MFD1501, contain a remote command injection vulnerability via /PictureCatch.cgi that enables an attacker to execute arbitrary commands on the device. The vulnerable models have been declared end-of-life (EOL) by the… | ||
| CVE-2026-42368 | Cri | 0.64 | 9.9 | 0.00 | May 4, 2026 | A privilege escalation vulnerability exists in the Web Interface functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted HTTP request can lead to execute priviledged operation. An attacker can visit a webpage to trigger this vulnerability. | ||
| CVE-2026-42364 | Cri | 0.64 | 9.9 | 0.02 | May 4, 2026 | An os command injection vulnerability exists in the DdnsSetting.cgi functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted DDNS configuration can lead to arbitrary command execution. An attacker can modify a configuration value to trigger this vulnerability. | ||
| CVE-2025-26264 | Hig | 0.63 | 8.8 | 0.18 | Feb 27, 2025 | GeoVision GV-ASWeb with the version 6.1.2.0 or less (fixed in 6.2.0), contains a Remote Code Execution (RCE) vulnerability within its Notification Settings feature. An authenticated attacker with "System Settings" privileges in ASWeb can exploit this flaw to execute arbitrary… | ||
| CVE-2024-56898 | Hig | 0.61 | 8.8 | 0.02 | Feb 3, 2025 | Broken access control vulnerability in Geovision GV-ASWeb with version v6.1.0.0 or less. This vulnerability allows low privilege users perform actions that they aren't authorized to, which can be leveraged to escalate privileges, create, modify or delete accounts. | ||
| CVE-2026-7161 | Cri | 0.60 | 9.3 | 0.00 | May 4, 2026 | An insufficient encryption vulnerability exists in the Device Authentication functionality of GeoVision GV-IP Device Utility 9.0.5. Listening to broadcast packets can lead to credentials leak. An attacker can listen to broadcast messages to trigger this vulnerability. When… | ||
| CVE-2026-42363 | Cri | 0.60 | 9.3 | 0.00 | Apr 27, 2026 | An insufficient encryption vulnerability exists in the Device Authentication functionality of GeoVision GV-IP Device Utility 9.0.5. Listening to broadcast packets can lead to credentials leak. An attacker can listen to broadcast messages to trigger this vulnerability. When… | ||
| CVE-2024-56901 | Hig | 0.60 | 8.8 | 0.02 | Feb 3, 2025 | A Cross-Site Request Forgery (CSRF) vulnerability in Geovision GV-ASWeb application with the version 6.1.1.0 or less that allows attackers to arbitrarily create Administrator accounts via a crafted GET request method. This vulnerability is used in chain with CVE-2024-56903 for a… | ||
| CVE-2026-7372 | Cri | 0.59 | 9.0 | 0.00 | May 4, 2026 | A stack overflow vulnerability exists in the WebCam Server Login functionality of GeoVision GV-VMS V20 20.0.2. A specially crafted HTTP request can lead to an arbitrary code execution. An attacker can make an unauthenticated HTTP request to trigger this vulnerability. ####… | ||
| CVE-2026-42370 | Cri | 0.59 | 9.0 | 0.01 | May 4, 2026 | A stack overflow vulnerability exists in the WebCam Server Login functionality of GeoVision GV-VMS V20 20.0.2. A specially crafted HTTP request can lead to an arbitrary code execution. An attacker can make an unauthenticated HTTP request to trigger this vulnerability. | ||
| CVE-2026-7841 | Hig | 0.57 | 8.8 | 0.01 | May 6, 2026 | A remote code execution vulnerability exists in Notification Settings on GeoVision GV-ASWeb 6.2.0. An authenticated user with System Setting permissions can execute arbitrary commands on the server by sending a crafted HTTP POST request to the ASWebCommon.srf backend endpoint to… | ||
| CVE-2026-42365 | Hig | 0.56 | 8.6 | 0.00 | May 4, 2026 | A guessable session cookie vulnerability exists in the Web Interface functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted series of HTTP requests can lead to an authentication bypas. An attacker can bruteforce session cookies to trigger this vulnerability. | ||
| CVE-2024-56902 | Hig | 0.54 | 7.5 | 0.21 | Feb 3, 2025 | Information disclosure vulnerability in Geovision GV-ASManager web application with the version v6.1.0.0 or less, which discloses account information, including cleartext password. | ||
| CVE-2024-56903 | Hig | 0.53 | 8.1 | 0.00 | Feb 3, 2025 | Geovision GV-ASWeb with the version 6.1.1.0 or less allows attackers to modify POST request method with the GET against critical functionalities, such as account management. This vulnerability is used in chain with CVE-2024-56901 for a successful CSRF attack. | ||
| CVE-2026-7371 | Hig | 0.48 | 7.4 | 0.00 | May 4, 2026 | Multiple reflected cross-site scripting (xss) vulnerabilities exist in the Web Interface / ssi.cgi functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted malicious url can lead to an arbitrary javascript code execution. An attacker can provide a crafted URL to… | ||
| CVE-2026-42366 | Hig | 0.48 | 7.4 | 0.00 | May 4, 2026 | Multiple reflected cross-site scripting (xss) vulnerabilities exist in the Web Interface / ssi.cgi functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted malicious url can lead to an arbitrary javascript code execution. An attacker can provide a crafted URL to… | ||
| CVE-2026-42367 | Med | 0.42 | 6.5 | 0.00 | May 4, 2026 | A privilege escalation vulnerability exists in the Web Interface / ssi.cgi functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted HTTP request can lead to credentials leak. An attacker can visit a webpage to trigger this vulnerability. | ||
| CVE-2021-47795 | Med | 0.40 | 6.2 | 0.01 | Jan 16, 2026 | GeoVision GeoWebServer 5.3.3 contains multiple vulnerabilities including local file inclusion, cross-site scripting, and remote code execution through improper input sanitization. Attackers can exploit the WebStrings.srf endpoint by manipulating path traversal and injection… | ||
| CVE-2025-26263 | Med | 0.36 | 5.1 | 0.01 | Feb 28, 2025 | GeoVision ASManager Windows desktop application with the version 6.1.2.0 or less (fixed in 6.2.0), is vulnerable to credentials disclosure due to improper memory handling in the ASManagerService.exe process. | ||
| CVE-2024-6047 | 0.18 | — | 0.10 | KEV | Jun 17, 2024 | Certain EOL GeoVision devices fail to properly filter user input for the specific functionality. Unauthenticated remote attackers can exploit this vulnerability to inject and execute arbitrary system commands on the device. | ||
| CVE-2009-1092 | 0.04 | — | 0.09 | Mar 25, 2009 | Use-after-free vulnerability in the LIVEAUDIO.LiveAudioCtrl.1 ActiveX control in LIVEAU~1.OCX 7.0 for GeoVision DVR systems allows remote attackers to execute arbitrary code by calling the GetAudioPlayingTime method with certain arguments. | |||
| CVE-2009-5087 | 0.03 | — | 0.04 | Sep 12, 2011 | Directory traversal vulnerability in geohttpserver in Geovision Digital Video Surveillance System 8.2 allows remote attackers to read arbitrary files via a .. (dot dot) in a GET request. | |||
| CVE-2009-0865 | 0.03 | — | 0.06 | Mar 10, 2009 | Directory traversal vulnerability in the SnapShotToFile method in the GeoVision LiveX (aka LiveX_v8200) ActiveX control 8.1.2 and 8.2.0 in LIVEX_~1.OCX allows remote attackers to create or overwrite arbitrary files via a .. (dot dot) in the argument, possibly involving the PlayX… | |||
| CVE-2005-1552 | 0.03 | — | 0.03 | May 14, 2005 | GeoVision Digital Video Surveillance System 6.04, 6.1 and 7.0, when set to create JPEG images, does not properly protect an image even when a password and username is assigned, which may allow remote attackers to gain sensitive information via a direct request to the image. | |||
| CVE-2026-12851 | 0.00 | — | 0.02 | Jun 24, 2026 | Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution. An attacker can send a network request to trigger this vulnerability. `libNetSetObj.so`… | |||
| CVE-2026-12850 | 0.00 | — | 0.02 | Jun 24, 2026 | Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution. An attacker can send a network request to trigger this vulnerability. `libNetSetObj.so`… | |||
| CVE-2026-12849 | 0.00 | — | 0.02 | Jun 24, 2026 | Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution. An attacker can send a network request to trigger this vulnerability. `libNetSetObj.so`… | |||
| CVE-2026-12486 | 0.00 | — | 0.02 | Jun 24, 2026 | Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution. An attacker can send a network request to trigger this vulnerability. `libNetSetObj.so`… | |||
| CVE-2026-12848 | 0.00 | — | 0.00 | Jun 24, 2026 | GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485. DVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service… | |||
| CVE-2026-12847 | 0.00 | — | 0.00 | Jun 24, 2026 | GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485. DVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service… | |||
| CVE-2026-12485 | 0.00 | — | 0.00 | Jun 24, 2026 | GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485. DVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service… | |||
| CVE-2026-12488 | 0.00 | — | 0.00 | Jun 24, 2026 | A memory corruption vulnerability exists in the GV-Cloud functionality of GeoVision GV-VMS V20 20.0.2. A specially crafted network request can lead to a denial of service. An attacker can impersonate the legitimate server to trigger this vulnerability. | |||
| CVE-2024-12553 | 0.00 | — | 0.01 | Dec 13, 2024 | GeoVision GV-ASManager Missing Authorization Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of GeoVision GV-ASManager. Although authentication is required to exploit this vulnerability,… | |||
| CVE-2022-46070 | 0.00 | — | 0.00 | Mar 11, 2024 | GV-ASManager V6.0.1.0 contains a Local File Inclusion vulnerability in GeoWebServer via Path. | |||
| CVE-2023-3638 | 0.00 | — | 0.01 | Jul 19, 2023 | In GeoVision GV-ADR2701 cameras, an attacker could edit the login response to access the web application. | |||
| CVE-2023-23059 | 0.00 | — | 0.01 | May 4, 2023 | An issue was discovered in GeoVision GV-Edge Recording Manager 2.2.3.0 for windows, which contains improper permissions within the default installation and allows attackers to execute arbitrary code and gain escalated privileges. | |||
| CVE-2020-3931 | 0.00 | — | 0.02 | Jul 8, 2020 | Buffer overflow exists in Geovision Door Access Control device family, an unauthenticated remote attacker can execute arbitrary command. | |||
| CVE-2020-3930 | 0.00 | — | 0.00 | Jun 12, 2020 | GeoVision Door Access Control device family improperly stores and controls access to system logs, any users can read these logs. | |||
| CVE-2020-3929 | 0.00 | — | 0.01 | Jun 12, 2020 | GeoVision Door Access Control device family employs shared cryptographic private keys for SSH and HTTPS. Attackers may conduct MITM attack with the derived keys and plaintext recover of encrypted messages. | |||
| CVE-2020-3928 | 0.00 | — | 0.01 | Jun 12, 2020 | GeoVision Door Access Control device family is hardcoded with a root password, which adopting an identical password in all devices. | |||
| CVE-2005-1553 | 0.00 | — | 0.01 | May 14, 2005 | GeoVision Digital Video Surveillance System 6.04, 6.1 and 7.0 uses a weak encryption scheme to encrypt passwords, which allows remote attackers to obtain the password via sniffing. | |||
| CVE-2004-2100 | 0.00 | — | 0.01 | Dec 31, 2004 | GeoHttpServer, when configured to authenticate users, allows remote attackers to bypass authentication and access unauthorized files via a URL that contains %0a%0a (encoded newlines). | |||
| CVE-2004-2101 | 0.00 | — | 0.02 | Dec 31, 2004 | The sysinfo script in GeoHttpServer allows remote attackers to cause a denial of service (crash) via a long pwd parameter, possibly triggering a buffer overflow. |
- risk 0.65cvss —epss 0.00
GV Edge Recording Manager (ERM) v2.3.1 improperly runs application components with SYSTEM-level privileges, allowing any local user to gain full control of the operating system. During installation, ERM creates a Windows service that runs under the LocalSystem account. …
- risk 0.65cvss —epss 0.01
GeoVision embedded IP devices, confirmed on GV-BX1500 and GV-MFD1501, contain a remote command injection vulnerability via /PictureCatch.cgi that enables an attacker to execute arbitrary commands on the device. The vulnerable models have been declared end-of-life (EOL) by the…
- risk 0.64cvss 9.9epss 0.00
A privilege escalation vulnerability exists in the Web Interface functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted HTTP request can lead to execute priviledged operation. An attacker can visit a webpage to trigger this vulnerability.
- risk 0.64cvss 9.9epss 0.02
An os command injection vulnerability exists in the DdnsSetting.cgi functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted DDNS configuration can lead to arbitrary command execution. An attacker can modify a configuration value to trigger this vulnerability.
- risk 0.63cvss 8.8epss 0.18
GeoVision GV-ASWeb with the version 6.1.2.0 or less (fixed in 6.2.0), contains a Remote Code Execution (RCE) vulnerability within its Notification Settings feature. An authenticated attacker with "System Settings" privileges in ASWeb can exploit this flaw to execute arbitrary…
- risk 0.61cvss 8.8epss 0.02
Broken access control vulnerability in Geovision GV-ASWeb with version v6.1.0.0 or less. This vulnerability allows low privilege users perform actions that they aren't authorized to, which can be leveraged to escalate privileges, create, modify or delete accounts.
- risk 0.60cvss 9.3epss 0.00
An insufficient encryption vulnerability exists in the Device Authentication functionality of GeoVision GV-IP Device Utility 9.0.5. Listening to broadcast packets can lead to credentials leak. An attacker can listen to broadcast messages to trigger this vulnerability. When…
- risk 0.60cvss 9.3epss 0.00
An insufficient encryption vulnerability exists in the Device Authentication functionality of GeoVision GV-IP Device Utility 9.0.5. Listening to broadcast packets can lead to credentials leak. An attacker can listen to broadcast messages to trigger this vulnerability. When…
- risk 0.60cvss 8.8epss 0.02
A Cross-Site Request Forgery (CSRF) vulnerability in Geovision GV-ASWeb application with the version 6.1.1.0 or less that allows attackers to arbitrarily create Administrator accounts via a crafted GET request method. This vulnerability is used in chain with CVE-2024-56903 for a…
- risk 0.59cvss 9.0epss 0.00
A stack overflow vulnerability exists in the WebCam Server Login functionality of GeoVision GV-VMS V20 20.0.2. A specially crafted HTTP request can lead to an arbitrary code execution. An attacker can make an unauthenticated HTTP request to trigger this vulnerability. ####…
- risk 0.59cvss 9.0epss 0.01
A stack overflow vulnerability exists in the WebCam Server Login functionality of GeoVision GV-VMS V20 20.0.2. A specially crafted HTTP request can lead to an arbitrary code execution. An attacker can make an unauthenticated HTTP request to trigger this vulnerability.
- risk 0.57cvss 8.8epss 0.01
A remote code execution vulnerability exists in Notification Settings on GeoVision GV-ASWeb 6.2.0. An authenticated user with System Setting permissions can execute arbitrary commands on the server by sending a crafted HTTP POST request to the ASWebCommon.srf backend endpoint to…
- risk 0.56cvss 8.6epss 0.00
A guessable session cookie vulnerability exists in the Web Interface functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted series of HTTP requests can lead to an authentication bypas. An attacker can bruteforce session cookies to trigger this vulnerability.
- risk 0.54cvss 7.5epss 0.21
Information disclosure vulnerability in Geovision GV-ASManager web application with the version v6.1.0.0 or less, which discloses account information, including cleartext password.
- risk 0.53cvss 8.1epss 0.00
Geovision GV-ASWeb with the version 6.1.1.0 or less allows attackers to modify POST request method with the GET against critical functionalities, such as account management. This vulnerability is used in chain with CVE-2024-56901 for a successful CSRF attack.
- risk 0.48cvss 7.4epss 0.00
Multiple reflected cross-site scripting (xss) vulnerabilities exist in the Web Interface / ssi.cgi functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted malicious url can lead to an arbitrary javascript code execution. An attacker can provide a crafted URL to…
- risk 0.48cvss 7.4epss 0.00
Multiple reflected cross-site scripting (xss) vulnerabilities exist in the Web Interface / ssi.cgi functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted malicious url can lead to an arbitrary javascript code execution. An attacker can provide a crafted URL to…
- risk 0.42cvss 6.5epss 0.00
A privilege escalation vulnerability exists in the Web Interface / ssi.cgi functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted HTTP request can lead to credentials leak. An attacker can visit a webpage to trigger this vulnerability.
- risk 0.40cvss 6.2epss 0.01
GeoVision GeoWebServer 5.3.3 contains multiple vulnerabilities including local file inclusion, cross-site scripting, and remote code execution through improper input sanitization. Attackers can exploit the WebStrings.srf endpoint by manipulating path traversal and injection…
- risk 0.36cvss 5.1epss 0.01
GeoVision ASManager Windows desktop application with the version 6.1.2.0 or less (fixed in 6.2.0), is vulnerable to credentials disclosure due to improper memory handling in the ASManagerService.exe process.
- risk 0.18cvss —epss 0.10
Certain EOL GeoVision devices fail to properly filter user input for the specific functionality. Unauthenticated remote attackers can exploit this vulnerability to inject and execute arbitrary system commands on the device.
- CVE-2009-1092Mar 25, 2009risk 0.04cvss —epss 0.09
Use-after-free vulnerability in the LIVEAUDIO.LiveAudioCtrl.1 ActiveX control in LIVEAU~1.OCX 7.0 for GeoVision DVR systems allows remote attackers to execute arbitrary code by calling the GetAudioPlayingTime method with certain arguments.
- CVE-2009-5087Sep 12, 2011risk 0.03cvss —epss 0.04
Directory traversal vulnerability in geohttpserver in Geovision Digital Video Surveillance System 8.2 allows remote attackers to read arbitrary files via a .. (dot dot) in a GET request.
- CVE-2009-0865Mar 10, 2009risk 0.03cvss —epss 0.06
Directory traversal vulnerability in the SnapShotToFile method in the GeoVision LiveX (aka LiveX_v8200) ActiveX control 8.1.2 and 8.2.0 in LIVEX_~1.OCX allows remote attackers to create or overwrite arbitrary files via a .. (dot dot) in the argument, possibly involving the PlayX…
- CVE-2005-1552May 14, 2005risk 0.03cvss —epss 0.03
GeoVision Digital Video Surveillance System 6.04, 6.1 and 7.0, when set to create JPEG images, does not properly protect an image even when a password and username is assigned, which may allow remote attackers to gain sensitive information via a direct request to the image.
- CVE-2026-12851Jun 24, 2026risk 0.00cvss —epss 0.02
Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution. An attacker can send a network request to trigger this vulnerability. `libNetSetObj.so`…
- CVE-2026-12850Jun 24, 2026risk 0.00cvss —epss 0.02
Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution. An attacker can send a network request to trigger this vulnerability. `libNetSetObj.so`…
- CVE-2026-12849Jun 24, 2026risk 0.00cvss —epss 0.02
Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution. An attacker can send a network request to trigger this vulnerability. `libNetSetObj.so`…
- CVE-2026-12486Jun 24, 2026risk 0.00cvss —epss 0.02
Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution. An attacker can send a network request to trigger this vulnerability. `libNetSetObj.so`…
- CVE-2026-12848Jun 24, 2026risk 0.00cvss —epss 0.00
GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485. DVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service…
- CVE-2026-12847Jun 24, 2026risk 0.00cvss —epss 0.00
GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485. DVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service…
- CVE-2026-12485Jun 24, 2026risk 0.00cvss —epss 0.00
GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485. DVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service…
- CVE-2026-12488Jun 24, 2026risk 0.00cvss —epss 0.00
A memory corruption vulnerability exists in the GV-Cloud functionality of GeoVision GV-VMS V20 20.0.2. A specially crafted network request can lead to a denial of service. An attacker can impersonate the legitimate server to trigger this vulnerability.
- CVE-2024-12553Dec 13, 2024risk 0.00cvss —epss 0.01
GeoVision GV-ASManager Missing Authorization Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of GeoVision GV-ASManager. Although authentication is required to exploit this vulnerability,…
- CVE-2022-46070Mar 11, 2024risk 0.00cvss —epss 0.00
GV-ASManager V6.0.1.0 contains a Local File Inclusion vulnerability in GeoWebServer via Path.
- CVE-2023-3638Jul 19, 2023risk 0.00cvss —epss 0.01
In GeoVision GV-ADR2701 cameras, an attacker could edit the login response to access the web application.
- CVE-2023-23059May 4, 2023risk 0.00cvss —epss 0.01
An issue was discovered in GeoVision GV-Edge Recording Manager 2.2.3.0 for windows, which contains improper permissions within the default installation and allows attackers to execute arbitrary code and gain escalated privileges.
- CVE-2020-3931Jul 8, 2020risk 0.00cvss —epss 0.02
Buffer overflow exists in Geovision Door Access Control device family, an unauthenticated remote attacker can execute arbitrary command.
- CVE-2020-3930Jun 12, 2020risk 0.00cvss —epss 0.00
GeoVision Door Access Control device family improperly stores and controls access to system logs, any users can read these logs.
- CVE-2020-3929Jun 12, 2020risk 0.00cvss —epss 0.01
GeoVision Door Access Control device family employs shared cryptographic private keys for SSH and HTTPS. Attackers may conduct MITM attack with the derived keys and plaintext recover of encrypted messages.
- CVE-2020-3928Jun 12, 2020risk 0.00cvss —epss 0.01
GeoVision Door Access Control device family is hardcoded with a root password, which adopting an identical password in all devices.
- CVE-2005-1553May 14, 2005risk 0.00cvss —epss 0.01
GeoVision Digital Video Surveillance System 6.04, 6.1 and 7.0 uses a weak encryption scheme to encrypt passwords, which allows remote attackers to obtain the password via sniffing.
- CVE-2004-2100Dec 31, 2004risk 0.00cvss —epss 0.01
GeoHttpServer, when configured to authenticate users, allows remote attackers to bypass authentication and access unauthorized files via a URL that contains %0a%0a (encoded newlines).
- CVE-2004-2101Dec 31, 2004risk 0.00cvss —epss 0.02
The sysinfo script in GeoHttpServer allows remote attackers to cause a denial of service (crash) via a long pwd parameter, possibly triggering a buffer overflow.