Security Vulnerabilities in Hikvision Web Browser Plug-in LocalServiceComponents

SN No. HSRC-202311-02

Edit: Hikvision Security Response Center (HSRC)

Initial Release Date: 2023-11-23

Summary

1. A buffer overflow vulnerability in a web browser plug-in could allow an attacker to exploit the vulnerability by sending crafted messages to computers installed with this plug-in, which could lead to arbitrary code execution or cause process exception of the plug-in.

2. An attacker could exploit a vulnerability by sending crafted messages to computers installed with this plug-in to modify plug-in parameters, which could cause affected computers to download malicious files.

CVE ID

CVE-2023-28812

CVE-2023-28813

Scoring

CVSS v3.1 is adopted in this vulnerability scoring(http://www.first.org/cvss/specification-document)

CVE-2023-28812

Base score：9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H)

CVE-2023-28813

Base score：8.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H)

Affected Versions and Fix

Product Name	Affected Versions	Resolved Version
LocalServiceComponents	version 1.0.0.78 and the versions prior to it	1.0.0.81

Obtaining Fixed Version

Users can download the patch on the Hikvision official website.(https://www.hikvision.com/en/support/tools/hitools/cl31f95c645ddb0235/)

Source of vulnerability information

This vulnerability is reported to HSRC by Team.ENVY (KITRI BoB 12th).

Contact Us

To report any security issues or vulnerabilities in Hikvision products and solutions, please contact Hikvision Security Response Center at hsrc@hikvision.com.

Hikvision would like to thank all security researchers for your attention to our products.

Kontakt

Hik-Partner Pro

Security Business Assistant. At Your Fingertips. Learn more

Scan and download the app

Download

Hik-Partner Pro

Get a better browsing experience

You are using a web browser we don’t support. Please try one of the following options to have a better experience of our web content.