SN No. HSRC-202206-01
Edit: Hikvision Security Response Center (HSRC)
Initial Release Date: 2022-06-23
Übersicht
The web module in some Hikvision Hybrid SAN/Cluster Storage products have the following security vulnerabilities:
1) Due to the insufficient input validation, attacker can exploit the vulnerability to execute restricted commands by sending messages with malicious commands to the affected device.
2) Due to the insufficient input validation, attacker can exploit the vulnerability to XSS attack by sending messages with malicious commands to the affected device.
CVE ID
CVE-2022-28171
CVE-2022-28172
Scoring
CVSS v3 is adopted in this vulnerability scoring.
(http://www.first.org/cvss/specification-document)
CVE-2022-28171
Basisbewertung:: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
Temporäre Bewertung: 6.7 (/E:P/RL:O/RC:C)
CVE-2022-28172
Basisbewertung:: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)
Temporäre Bewertung: 5.9 (E:P/RL:O/RC:C)
Affected Versions and Fixes
Product Name |
Affected Versions |
DS-A71024/48/72R |
Versions below V2.3.8-6 (including V2.3.8-6) |
DS-A80624S |
DS-A81016S |
DS-A72024/72R |
DS-A80316S |
DS-A82024D |
DS-A71024/48R-CVS |
Versions below V1.1.4 (including V1.1.4) |
DS-A72024/48R-CVS |