Deserialization of untrusted data

2022-07-1800:15:00

PRIOn knowledge base

www.prio-n.com

9.6 High

AI Score

Confidence

High

0.051 Low

EPSS

Percentile

93.0%

QVIS NVR DVR before 2021-12-13 is vulnerable to Remote Code Execution via Java deserialization.

CPENameOperatorVersion
dvr_firmwareeq< 20211213
nvr_firmwareeq< 20211213

CPE	Name	Operator	Version
	dvr_firmware	eq	< 20211213
	nvr_firmware	eq	< 20211213

References

gist.github.com/Meeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee/712ac36c8a08e2698e875169442a23a4

github.com/projectdiscovery/nuclei-templates/blob/master/iot/qvisdvr-deserialization-rce.yaml

twitter.com/Me9187/status/1414904314368348163