Reolink Rlc-410W Firmware vulnerabilities
88 known vulnerabilities affecting reolink/rlc-410w_firmware.
Total CVEs
88
CISA KEV
2
actively exploited
Public exploits
0
Exploited in wild
2
Severity breakdown
CRITICAL3HIGH81MEDIUM4
Vulnerabilities
Page 1 of 5
CVE-2021-40407P1HIGHCVSS 7.2KEVv3.0.0.136_201211022022-01-28
CVE-2021-40407 [HIGH] CWE-78 CVE-2021-40407: An OS command injection vulnerability exists in the device network settings functionality of reolink
An OS command injection vulnerability exists in the device network settings functionality of reolink RLC-410W v3.0.0.136_20121102. At [1] or [2], based on DDNS type, the ddns->domain variable, that has the value of the domain parameter provided through the SetDdns API, is not validated properly. This would lead to an OS command injection. An attacker c
nvd
CVE-2019-11001P1HIGHCVSS 7.2KEV≤ 1.0.2272019-04-08
CVE-2019-11001 [HIGH] CWE-78 CVE-2019-11001: On Reolink RLC-410W, C1 Pro, C2 Pro, RLC-422W, and RLC-511W devices through 1.0.227, an authenticate
On Reolink RLC-410W, C1 Pro, C2 Pro, RLC-422W, and RLC-511W devices through 1.0.227, an authenticated admin can use the "TestEmail" functionality to inject and run OS commands as root, as demonstrated by shell metacharacters in the addr1 field.
nvd
CVE-2021-40408P2CRITICALCVSS 9.8v3.0.0.136_201211022022-01-28
CVE-2021-40408 [CRITICAL] CWE-78 CVE-2021-40408: An OS command injection vulnerability exists in the device network settings functionality of reolink
An OS command injection vulnerability exists in the device network settings functionality of reolink RLC-410W v3.0.0.136_20121102. At [1] or [2], based on DDNS type, the ddns->username variable, that has the value of the userName parameter provided through the SetDdns API, is not validated properly. This would lead to an OS command injection.
nvd
CVE-2021-40409P2CRITICALCVSS 9.8v3.0.0.136_201211022022-01-28
CVE-2021-40409 [CRITICAL] CWE-78 CVE-2021-40409: An OS command injection vulnerability exists in the device network settings functionality of reolink
An OS command injection vulnerability exists in the device network settings functionality of reolink RLC-410W v3.0.0.136_20121102. At [1] or [2], based on DDNS type, the ddns->password variable, that has the value of the password parameter provided through the SetDdns API, is not validated properly. This would lead to an OS command injection.
nvd
CVE-2021-40410P3HIGHCVSS 7.2v3.0.0.136_201211022022-01-28
CVE-2021-40410 [HIGH] CWE-78 CVE-2021-40410: An OS command injection vulnerability exists in the device network settings functionality of reolink
An OS command injection vulnerability exists in the device network settings functionality of reolink RLC-410W v3.0.0.136_20121102. At [4] the dns_data->dns1 variable, that has the value of the dns1 parameter provided through the SetLocal API, is not validated properly. This would lead to an OS command injection.
nvd
CVE-2021-40412P3HIGHCVSS 7.2v3.0.0.136_201211022022-01-28
CVE-2021-40412 [HIGH] CWE-78 CVE-2021-40412: An OScommand injection vulnerability exists in the device network settings functionality of reolink
An OScommand injection vulnerability exists in the device network settings functionality of reolink RLC-410W v3.0.0.136_20121102. At [8] the devname variable, that has the value of the name parameter provided through the SetDevName API, is not validated properly. This would lead to an OS command injection.
nvd
CVE-2022-21217P3CRITICALCVSS 9.8v3.0.0.136_201211022022-01-28
CVE-2022-21217 [CRITICAL] CWE-457 CVE-2022-21217: An out-of-bounds write vulnerability exists in the device TestEmail functionality of reolink RLC-410
An out-of-bounds write vulnerability exists in the device TestEmail functionality of reolink RLC-410W v3.0.0.136_20121102. A specially-crafted network request can lead to an out-of-bounds write. An attacker can send an HTTP request to trigger this vulnerability.
nvd
CVE-2021-40416P3HIGHCVSS 8.8v3.0.0.136_201211022022-01-28
CVE-2021-40416 [HIGH] CWE-284 CVE-2021-40416: An incorrect default permission vulnerability exists in the cgiserver.cgi cgi_check_ability function
An incorrect default permission vulnerability exists in the cgiserver.cgi cgi_check_ability functionality of reolink RLC-410W v3.0.0.136_20121102. All the Get APIs that are not included in cgi_check_ability are already executable by any logged-in users. An attacker can send an HTTP request to trigger this vulnerability.
nvd
CVE-2021-40411P3HIGHCVSS 7.2v3.0.0.136_201211022022-01-28
CVE-2021-40411 [HIGH] CWE-78 CVE-2021-40411: An OS command injection vulnerability exists in the device network settings functionality of reolink
An OS command injection vulnerability exists in the device network settings functionality of reolink RLC-410W v3.0.0.136_20121102. At [6] the dns_data->dns2 variable, that has the value of the dns2 parameter provided through the SetLocalLink API, is not validated properly. This would lead to an OS command injection.
nvd
CVE-2021-40419P3HIGHCVSS 7.5v3.0.0.136_201211022022-01-28
CVE-2021-40419 [HIGH] CWE-489 CVE-2021-40419: A firmware update vulnerability exists in the 'factory' binary of reolink RLC-410W v3.0.0.136_201211
A firmware update vulnerability exists in the 'factory' binary of reolink RLC-410W v3.0.0.136_20121102. A specially-crafted series of network requests can lead to arbitrary firmware update. An attacker can send a sequence of requests to trigger this vulnerability.
nvd
CVE-2022-21796P3HIGHCVSS 8.2v3.0.0.136_201211022022-01-28
CVE-2022-21796 [HIGH] CWE-20 CVE-2022-21796: A memory corruption vulnerability exists in the netserver parse_command_list functionality of reolin
A memory corruption vulnerability exists in the netserver parse_command_list functionality of reolink RLC-410W v3.0.0.136_20121102. A specially-crafted HTTP request can lead to an out-of-bounds write. An attacker can send an HTTP request to trigger this vulnerability.
nvd
CVE-2022-21134P3HIGHCVSS 7.5v3.0.0.136_201211022022-01-28
CVE-2022-21134 [HIGH] CWE-347 CVE-2022-21134: A firmware update vulnerability exists in the "update" firmware checks functionality of re
A firmware update vulnerability exists in the "update" firmware checks functionality of reolink RLC-410W v3.0.0.136_20121102. A specially-crafted HTTP request can lead to firmware update. An attacker can send a sequence of requests to trigger this vulnerability.
nvd
CVE-2022-21236P3HIGHCVSS 7.5v3.0.0.136_201211022022-01-28
CVE-2022-21236 [HIGH] CWE-219 CVE-2022-21236: An information disclosure vulnerability exists due to a web server misconfiguration in the Reolink R
An information disclosure vulnerability exists due to a web server misconfiguration in the Reolink RLC-410W v3.0.0.136_20121102. A specially-crafted HTTP request can lead to a disclosure of sensitive information. An attacker can send an HTTP request to trigger this vulnerability.
nvd
CVE-2021-44354P3HIGHCVSS 7.5v3.0.0.136_201211022022-04-14
CVE-2021-44354 [HIGH] CWE-20 CVE-2021-44354: Multiple denial of service vulnerabilities exist in the cgiserver.cgi JSON command parser functional
Multiple denial of service vulnerabilities exist in the cgiserver.cgi JSON command parser functionality of Reolink RLC-410W v3.0.0.136_20121102. A specially-crafted HTTP request can lead to a reboot. An attacker can send an HTTP request to trigger this vulnerability.
nvd
CVE-2021-44357P3HIGHCVSS 7.5v3.0.0.136_201211022022-04-14
CVE-2021-44357 [HIGH] CWE-20 CVE-2021-44357: Multiple denial of service vulnerabilities exist in the cgiserver.cgi JSON command parser functional
Multiple denial of service vulnerabilities exist in the cgiserver.cgi JSON command parser functionality of Reolink RLC-410W v3.0.0.136_20121102. A specially-crafted HTTP request can lead to a reboot. An attacker can send an HTTP request to trigger this vulnerability.
nvd
CVE-2021-44366P3HIGHCVSS 7.5v3.0.0.136_201211022022-04-14
CVE-2021-44366 [HIGH] CWE-20 CVE-2021-44366: Multiple denial of service vulnerabilities exist in the cgiserver.cgi JSON command parser functional
Multiple denial of service vulnerabilities exist in the cgiserver.cgi JSON command parser functionality of Reolink RLC-410W v3.0.0.136_20121102. A specially-crafted HTTP request can lead to a reboot. An attacker can send an HTTP request to trigger this vulnerability.
nvd
CVE-2021-44394P3HIGHCVSS 7.5v3.0.0.136_201211022022-04-14
CVE-2021-44394 [HIGH] CWE-20 CVE-2021-44394: Multiple denial of service vulnerabilities exist in the cgiserver.cgi JSON command parser functional
Multiple denial of service vulnerabilities exist in the cgiserver.cgi JSON command parser functionality of Reolink RLC-410W v3.0.0.136_20121102. A specially-crafted HTTP request can lead to a reboot. An attacker can send an HTTP request to trigger this vulnerability.
nvd
CVE-2021-44356P3HIGHCVSS 7.5v3.0.0.136_201211022022-04-14
CVE-2021-44356 [HIGH] CWE-20 CVE-2021-44356: Multiple denial of service vulnerabilities exist in the cgiserver.cgi JSON command parser functional
Multiple denial of service vulnerabilities exist in the cgiserver.cgi JSON command parser functionality of Reolink RLC-410W v3.0.0.136_20121102. A specially-crafted HTTP request can lead to a reboot. An attacker can send an HTTP request to trigger this vulnerability.
nvd
CVE-2021-44375P3HIGHCVSS 7.5v3.0.0.136_201211022022-04-14
CVE-2021-44375 [HIGH] CWE-20 CVE-2021-44375: Multiple denial of service vulnerabilities exist in the cgiserver.cgi JSON command parser functional
Multiple denial of service vulnerabilities exist in the cgiserver.cgi JSON command parser functionality of Reolink RLC-410W v3.0.0.136_20121102. A specially-crafted HTTP request can lead to a reboot. An attacker can send an HTTP request to trigger this vulnerability.
nvd
CVE-2021-44355P3HIGHCVSS 7.5v3.0.0.136_201211022022-04-14
CVE-2021-44355 [HIGH] CWE-20 CVE-2021-44355: Multiple denial of service vulnerabilities exist in the cgiserver.cgi JSON command parser functional
Multiple denial of service vulnerabilities exist in the cgiserver.cgi JSON command parser functionality of Reolink RLC-410W v3.0.0.136_20121102. A specially-crafted HTTP request can lead to a reboot. An attacker can send an HTTP request to trigger this vulnerability.
nvd
1 / 5Next →