Filtered by vendor Geovision
Subscribe
Total
27 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-42364 | 1 Geovision | 4 Gv-lpc2011, Gv-lpc2011 Firmware, Gv-lpc2211 and 1 more | 2026-05-05 | N/A | 9.9 CRITICAL |
| An os command injection vulnerability exists in the DdnsSetting.cgi functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted DDNS configuration can lead to arbitrary command execution. An attacker can modify a configuration value to trigger this vulnerability. | |||||
| CVE-2026-42367 | 1 Geovision | 4 Gv-lpc2011, Gv-lpc2011 Firmware, Gv-lpc2211 and 1 more | 2026-05-05 | N/A | 6.5 MEDIUM |
| A privilege escalation vulnerability exists in the Web Interface / ssi.cgi functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted HTTP request can lead to credentials leak. An attacker can visit a webpage to trigger this vulnerability. | |||||
| CVE-2026-42365 | 1 Geovision | 4 Gv-lpc2011, Gv-lpc2011 Firmware, Gv-lpc2211 and 1 more | 2026-05-05 | N/A | 8.6 HIGH |
| A guessable session cookie vulnerability exists in the Web Interface functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted series of HTTP requests can lead to an authentication bypas. An attacker can bruteforce session cookies to trigger this vulnerability. | |||||
| CVE-2026-42366 | 1 Geovision | 4 Gv-lpc2011, Gv-lpc2011 Firmware, Gv-lpc2211 and 1 more | 2026-05-05 | N/A | 7.4 HIGH |
| Multiple reflected cross-site scripting (xss) vulnerabilities exist in the Web Interface / ssi.cgi functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted malicious url can lead to an arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. | |||||
| CVE-2026-42368 | 1 Geovision | 4 Gv-lpc2011, Gv-lpc2011 Firmware, Gv-lpc2211 and 1 more | 2026-05-05 | N/A | 9.9 CRITICAL |
| A privilege escalation vulnerability exists in the Web Interface functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted HTTP request can lead to execute priviledged operation. An attacker can visit a webpage to trigger this vulnerability. | |||||
| CVE-2026-42370 | 1 Geovision | 2 Gv-vms, Gv-vms Firmware | 2026-05-05 | N/A | 9.0 CRITICAL |
| A stack overflow vulnerability exists in the WebCam Server Login functionality of GeoVision GV-VMS V20 20.0.2. A specially crafted HTTP request can lead to an arbitrary code execution. An attacker can make an unauthenticated HTTP request to trigger this vulnerability. | |||||
| CVE-2026-7161 | 1 Geovision | 1 Gv-ip Device Utility | 2026-05-05 | N/A | 9.3 CRITICAL |
| An insufficient encryption vulnerability exists in the Device Authentication functionality of GeoVision GV-IP Device Utility 9.0.5. Listening to broadcast packets can lead to credentials leak. An attacker can listen to broadcast messages to trigger this vulnerability. When interacting with various Geovision devices on the network, the utility may send privileged commands; in order to do so, the username and password of the device need to be provided. In some instances the command is broadcasted over UDP and the username/password are encrypted using a cryptographic protocol that appears to be derivated from Blowfish. However the symmetric key used for the encryption is also included in the packet, and thus the security of the username/password only relies on the "obscurity" of the encryption scheme. An attacker on the same LAN can listen to the broadcast traffic once an admin user interacts with the device, and decrypt the credentials using their own implementation of the algorithm. With this password the attacker would have full control over the device configuration, allowing them to change its ip address or even reset it to factory default. | |||||
| CVE-2026-7371 | 1 Geovision | 4 Gv-lpc2011, Gv-lpc2011 Firmware, Gv-lpc2211 and 1 more | 2026-05-05 | N/A | 7.4 HIGH |
| Multiple reflected cross-site scripting (xss) vulnerabilities exist in the Web Interface / ssi.cgi functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted malicious url can lead to an arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. Reflected XXS via the error message for requesting non-existing page. | |||||
| CVE-2026-7372 | 1 Geovision | 2 Gv-vms, Gv-vms Firmware | 2026-05-05 | N/A | 9.0 CRITICAL |
| A stack overflow vulnerability exists in the WebCam Server Login functionality of GeoVision GV-VMS V20 20.0.2. A specially crafted HTTP request can lead to an arbitrary code execution. An attacker can make an unauthenticated HTTP request to trigger this vulnerability. #### Stack-overflow via unconstrained sscanf The call to `sscanf` at [1] to split the `Buffer` variable into the `username` and `password` variables doesn't limit the size of the extracted content to match the destination buffers' sizes. In this case, if either the username or password decoded from the authorization string exceeds `40` characters (the size the stack variables `username` and `password`) then a stack overflow will occur. The data is controlled by an attacker, but sronger constraints (e.g. no null bytes) may make exploitation harder. A successful attack could lead to full code execution as SYSTEM on the machine running the service. | |||||
| CVE-2009-5087 | 1 Geovision | 1 Digital Surveillance System | 2026-04-29 | 5.0 MEDIUM | N/A |
| Directory traversal vulnerability in geohttpserver in Geovision Digital Video Surveillance System 8.2 allows remote attackers to read arbitrary files via a .. (dot dot) in a GET request. | |||||
| CVE-2009-0865 | 1 Geovision | 1 Livex Activex Control | 2026-04-23 | 8.8 HIGH | N/A |
| Directory traversal vulnerability in the SnapShotToFile method in the GeoVision LiveX (aka LiveX_v8200) ActiveX control 8.1.2 and 8.2.0 in LIVEX_~1.OCX allows remote attackers to create or overwrite arbitrary files via a .. (dot dot) in the argument, possibly involving the PlayX and SnapShotX methods. | |||||
| CVE-2009-1092 | 1 Geovision | 1 Liveaudio Activex Control | 2026-04-23 | 9.3 HIGH | N/A |
| Use-after-free vulnerability in the LIVEAUDIO.LiveAudioCtrl.1 ActiveX control in LIVEAU~1.OCX 7.0 for GeoVision DVR systems allows remote attackers to execute arbitrary code by calling the GetAudioPlayingTime method with certain arguments. | |||||
| CVE-2005-1553 | 1 Geovision | 1 Digital Surveillance System | 2026-04-16 | 7.5 HIGH | N/A |
| GeoVision Digital Video Surveillance System 6.04, 6.1 and 7.0 uses a weak encryption scheme to encrypt passwords, which allows remote attackers to obtain the password via sniffing. | |||||
| CVE-2005-1552 | 1 Geovision | 1 Digital Surveillance System | 2026-04-16 | 5.0 MEDIUM | N/A |
| GeoVision Digital Video Surveillance System 6.04, 6.1 and 7.0, when set to create JPEG images, does not properly protect an image even when a password and username is assigned, which may allow remote attackers to gain sensitive information via a direct request to the image. | |||||
| CVE-2004-2101 | 1 Geovision | 1 Geohttpserver | 2026-04-16 | 5.0 MEDIUM | N/A |
| The sysinfo script in GeoHttpServer allows remote attackers to cause a denial of service (crash) via a long pwd parameter, possibly triggering a buffer overflow. | |||||
| CVE-2004-2100 | 1 Geovision | 1 Geohttpserver | 2026-04-16 | 5.0 MEDIUM | N/A |
| GeoHttpServer, when configured to authenticate users, allows remote attackers to bypass authentication and access unauthorized files via a URL that contains %0a%0a (encoded newlines). | |||||
| CVE-2024-11120 | 1 Geovision | 8 Gv-dsp Lpr, Gv-dsp Lpr Firmware, Gv-vs11 and 5 more | 2025-10-30 | N/A | 9.8 CRITICAL |
| Certain EOL GeoVision devices have an OS Command Injection vulnerability. Unauthenticated remote attackers can exploit this vulnerability to inject and execute arbitrary system commands on the device. Moreover, this vulnerability has already been exploited by attackers, and we have received related reports. | |||||
| CVE-2024-6047 | 1 Geovision | 40 Gv-bx130, Gv-bx130 Firmware, Gv-bx1500 and 37 more | 2025-10-30 | N/A | 9.8 CRITICAL |
| Certain EOL GeoVision devices fail to properly filter user input for the specific functionality. Unauthenticated remote attackers can exploit this vulnerability to inject and execute arbitrary system commands on the device. | |||||
| CVE-2022-46070 | 1 Geovision | 1 Gv-asmanager | 2025-09-18 | N/A | 7.5 HIGH |
| GV-ASManager V6.0.1.0 contains a Local File Inclusion vulnerability in GeoWebServer via Path. | |||||
| CVE-2024-12553 | 1 Geovision | 1 Gv-asmanager | 2025-08-14 | N/A | 6.5 MEDIUM |
| GeoVision GV-ASManager Missing Authorization Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of GeoVision GV-ASManager. Although authentication is required to exploit this vulnerability, default guest credentials may be used. The specific flaw exists within the GV-ASWeb service. The issue results from the lack of authorization prior to allowing access to functionality. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-25394. | |||||