Description
A server-side request forgery vulnerability exists in multiple firmware versions of AVTECH DVR devices that exposes the /cgi-bin/nobody/Search.cgi?action=cgi_query endpoint without authentication. An attacker can manipulate the ip, port, and queryb64str parameters to make arbitrary HTTP requests from the DVR to internal or external systems, potentially exposing sensitive data or interacting with internal services.
CVSS breakdown
CVSS 4.0
Attack Vector
Network
Attack Complexity
Low
Attack Requirements
None
Privileges Required
None
User Interaction
None
Confidentiality (Vulnerable System)
None
Integrity (Vulnerable System)
Low
Availability (Vulnerable System)
None
Confidentiality (Subsequent System)
Low
Integrity (Subsequent System)
Low
Availability (Subsequent System)
Low
Affected products
- AVTECH / DVR devices1001-1000-1000-1000 – 1001-1000-1000-1000
- AVTECH / DVR devices1001-1000-1001-1001 – 1001-1000-1001-1001
- AVTECH / DVR devices1002-1000-1002-1001 – 1002-1000-1002-1001
- AVTECH / DVR devices1002-1001-1000-1000 – 1002-1001-1000-1000
- AVTECH / DVR devices1002-1001-1001-1001 – 1002-1001-1001-1001
- AVTECH / DVR devices1004-1002-1001-1000 – 1004-1002-1001-1000
- AVTECH / DVR devices1004-1002-1003-1000-FFFF – 1004-1002-1003-1000-FFFF
- AVTECH / DVR devices1004V-1002V-1003V-1001V – 1004V-1002V-1003V-1001V
- AVTECH / DVR devices1004Y-1002Y-1001EJ-1000Y – 1004Y-1002Y-1001EJ-1000Y
- AVTECH / DVR devices1004Y-1002Y-1001Y-1000Y – 1004Y-1002Y-1001Y-1000Y
- AVTECH / DVR devices1005-1002-1002-1000 – 1005-1002-1002-1000
- AVTECH / DVR devices1005-1002-1004-1001 – 1005-1002-1004-1001
- AVTECH / DVR devices1006-1001-1003-1004 – 1006-1001-1003-1004
- AVTECH / DVR devices1006-1002-1003-1000 – 1006-1002-1003-1000
- AVTECH / DVR devices1006Y-1002Y-1003Y-1000Y – 1006Y-1002Y-1003Y-1000Y
- AVTECH / DVR devices1007-1002-1004-1000 – 1007-1002-1004-1000
- AVTECH / DVR devices1007-1003-1003-1002 – 1007-1003-1003-1002
- AVTECH / DVR devices1007-1003-1005-1001 – 1007-1003-1005-1001
- AVTECH / DVR devices1007E-1003E-1005EJ-1001E – 1007E-1003E-1005EJ-1001E
- AVTECH / DVR devices1007V-1003V-1005V-1001V – 1007V-1003V-1005V-1001V
- AVTECH / DVR devices1007Y-1002Y-1004Y-1000Y – 1007Y-1002Y-1004Y-1000Y
- AVTECH / DVR devices1008-1002-1005-1000 – 1008-1002-1005-1000
- AVTECH / DVR devices1008-1004-1003-1002 – 1008-1004-1003-1002
- AVTECH / DVR devices1009-1003-1005-1006 – 1009-1003-1005-1006
- AVTECH / DVR devices1009-1003-1006-1001 – 1009-1003-1006-1001
- AVTECH / DVR devices1009-1007-1007-1000-FFFF – 1009-1007-1007-1000-FFFF
- AVTECH / DVR devices1009Y-1003Y-1006Y-1001Y – 1009Y-1003Y-1006Y-1001Y
- AVTECH / DVR devices1010-1004-1007-1001 – 1010-1004-1007-1001
- AVTECH / DVR devices1010-1005-1005-1002 – 1010-1005-1005-1002
- AVTECH / DVR devices1011-1004-1005-1006 – 1011-1004-1005-1006
- AVTECH / DVR devices1011-1005-1007-1001 – 1011-1005-1007-1001
- AVTECH / DVR devices1011-1005-1007EJ-1001 – 1011-1005-1007EJ-1001
- AVTECH / DVR devices1011-1005-1008-1002 – 1011-1005-1008-1002
- AVTECH / DVR devices1012-1004-1005-1006 – 1012-1004-1005-1006
- AVTECH / DVR devices1012-1005-1007-1002 – 1012-1005-1007-1002
- AVTECH / DVR devices1012-1006-1007-1001 – 1012-1006-1007-1001
- AVTECH / DVR devices1012-1008-1009-1000-FFFF – 1012-1008-1009-1000-FFFF
- AVTECH / DVR devices1014-1005-1009-1002 – 1014-1005-1009-1002
- AVTECH / DVR devices1014-1007-1009-1001 – 1014-1007-1009-1001
- AVTECH / DVR devices1014-1010-1010-1000-FFFF – 1014-1010-1010-1000-FFFF
- AVTECH / DVR devices1014Y-1007Y-1009Y-1001Y – 1014Y-1007Y-1009Y-1001Y
- AVTECH / DVR devices1015-1006-1010-1003 – 1015-1006-1010-1003
- AVTECH / DVR devices1015-1007-1007-1007 – 1015-1007-1007-1007
- AVTECH / DVR devices1015-1007-1010-1001 – 1015-1007-1010-1001
- AVTECH / DVR devices1015-1010-1011-1000-FFFF – 1015-1010-1011-1000-FFFF
- AVTECH / DVR devices1015Y-1007Y-1010Y-1001Y – 1015Y-1007Y-1010Y-1001Y
- AVTECH / DVR devices1016-1007-1005-1001 – 1016-1007-1005-1001
- AVTECH / DVR devices1016-1007-1011-1001 – 1016-1007-1011-1001
- AVTECH / DVR devices1016-1007-1011-1003 – 1016-1007-1011-1003
- AVTECH / DVR devices1016-1008-1007-1007 – 1016-1008-1007-1007
- AVTECH / DVR devices1016Y-1007Y-1011Y-1001Y – 1016Y-1007Y-1011Y-1001Y
- AVTECH / DVR devices1017-1008-1012-1002 – 1017-1008-1012-1002
- AVTECH / DVR devices1017-1009-1008-1008 – 1017-1009-1008-1008
- AVTECH / DVR devices1017-1011-1013-1001-FFFF – 1017-1011-1013-1001-FFFF
- AVTECH / DVR devices1017f-1011f-1013f-1001f-FFFF – 1017f-1011f-1013f-1001f-FFFF
- AVTECH / DVR devices1017Y-1008Y-1012Y-1002Y – 1017Y-1008Y-1012Y-1002Y
- AVTECH / DVR devices1018-1008-1012-1004 – 1018-1008-1012-1004
- AVTECH / DVR devices1019-1009-1013-1003 – 1019-1009-1013-1003
- AVTECH / DVR devices1019-1010-1009-1009 – 1019-1010-1009-1009
- AVTECH / DVR devices1019c-1012c-1014c-1001c-FFFF – 1019c-1012c-1014c-1001c-FFFF
- AVTECH / DVR devices1021-1011-1010-1009 – 1021-1011-1010-1009
- AVTECH / DVR devices1022-1012-1011-1009 – 1022-1012-1011-1009
- AVTECH / DVR devices1022-1014-1016-1002-FFFF – 1022-1014-1016-1002-FFFF
- AVTECH / DVR devices1022Y-1014Y-1016Y-1002Y-FFFF – 1022Y-1014Y-1016Y-1002Y-FFFF
- AVTECH / DVR devices1023-1013-1011-1009 – 1023-1013-1011-1009
- AVTECH / DVR devices1023-1014-1017-1002-FFFF – 1023-1014-1017-1002-FFFF
- AVTECH / DVR devices1025-1014-1013-1009 – 1025-1014-1013-1009
- AVTECH / DVR devices1026-1014-1014-1009 – 1026-1014-1014-1009
- AVTECH / DVR devices1027-1014-1015-1009 – 1027-1014-1015-1009
- AVTECH / DVR devicesS968-S968-S968-S968 – S968-S968-S968-S968
- AVTECH / DVR devicesV171P-V171P-V171P-V171P – V171P-V171P-V171P-V171P
- AVTECH / DVR devicesV189-V189-V189-V189 – V189-V189-V189-V189
References
- EXPLOIThttps://www.exploit-db.com/exploits/40500
- MISChttps://avtech.com/
- VENDOR_ADVISORYhttps://web.archive.org/web/20240810225729/https://www.search-lab.hu/advisories/126-AVTech-devices-multiple-vulnerabilities
- MISChttps://web.archive.org/web/20161029201749/https://github.com/ebux/AVTECH
- VENDOR_ADVISORYhttps://vulncheck.com/advisories/avtech-ipcamera-nvr-dvr-mulitple-vulns