CVE-2019-7315
published 2019-06-17CVE-2019-7315: Genie Access WIP3BVAF WISH IP 3MP IR Auto Focus Bullet Camera devices through 3.x are vulnerable to directory traversal via the web interface, as demonstrated…
PriorityP261high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
11.20%
95.4th percentile
Genie Access WIP3BVAF WISH IP 3MP IR Auto Focus Bullet Camera devices through 3.x are vulnerable to directory traversal via the web interface, as demonstrated by reading /etc/shadow. NOTE: this product is discontinued, and its final firmware version has this vulnerability (4.x versions exist only for other Genie Access products).
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| genieaccess | wip3bvaf_firmware | <= 3.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
yara↗
regex: root:.*:0:0:
- →Send an unauthenticated HTTP GET request to the camera web interface using a path traversal sequence (/../../../../../etc/passwd) and check the response body for the regex pattern 'root:.*:0:0:' with HTTP 200 status. ↗
- →Vulnerability is exploitable with no authentication (PR:N, UI:N) over the network (AV:N) against Genie Access WIP3BVAF devices running firmware through version 3.x. ↗
- ·This product is discontinued; the final firmware version (3.x) is vulnerable. Version 4.x exists only for other Genie Access products, not this specific device. ↗
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
Genie Access WIP3BVAF IP Camera - Local File Inclusion
nuclei·CVSS 7.5
CVE-2019-7315 [HIGH] Genie Access WIP3BVAF IP Camera - Local File Inclusion
Genie Access WIP3BVAF IP Camera - Local File Inclusion
Genie Access WIP3BVAF WISH IP 3MP IR Auto Focus Bullet Camera devices through 3.X are vulnerable to local file inclusion via the web interface, as demonstrated by reading /etc/shadow.
Template:
id: CVE-2019-7315
info:
name: Genie Access WIP3BVAF IP Camera - Local File Inclusion
author: 0x_Akoko
severity: high
description: Genie Access WIP3BVAF WISH IP 3MP IR Auto Focus Bullet Camera devices through 3.X are vulnerable to local file inclusion via the web interface, as demonstrated by reading /etc/shadow.
impact: |
An attacker can exploit this vulnerability to read sensitive files on the system.
remediation: |
Apply the latest firmware update provided by the vendor to fix the local file inclusion vulnerability.
reference:
- https://la
No writeups or analysis indexed.
2019-06-17
Published