4 matches found
CVE-2025-34036 Shenzhen TVT CCTV-DVR Command Injection
An OS command injection vulnerability exists in white-labeled DVRs manufactured by TVT, affecting a custom HTTP service called "Cross Web Server" that listens on TCP ports 81 and 82. The web interface fails to sanitize input in the URI path passed to the language extraction functionality. When th...
CVE-2025-34036
The CVE-2025-34036 issue affects white-labeled TVT DVRs’ Cross Web Server, a custom HTTP service listening on TCP ports 81/82. The web UI fails to sanitize the [lang] parameter in the /language/[lang]/index.html path, allowing unsafely used input in a tar extraction command to enable OS command i...
Shenzhen TVT Digital Technology Co. Ltd & OEM {DVR/NVR/IPC} API RCE
Subject: Shenzhen TVT Digital Technology Co. Ltd & OEM DVR/NVR/IPC API RCE Attack vector: Remote Authentication: Anonymous no credentials needed Researcher: bashis December 2017 PoC: https://github.com/mcw0/PoC Python PoC: https://github.com/mcw0/PoC/blob/master/TVT-PoC.py Release date: April 9,...
TVT TD-2308SS-B DVR contains a directory traversal vulnerability
Overview TVT TD-2308SS-B DVR and possibly other models contain a directory traversal vulnerability CWE-22. Description CWE-22: Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal' TVT TD-2308SS-B DVR and possibly other models running firmware version 3.2.0.P-3520A-00 conta...