Multiple vulnerabilities in Trivision Camera NC227WF

Posted date 27/02/2025
Identificador
INCIBE-2025-0107
Importance
4 - High
Affected Resources

Camera NC227WF, version 5.8.0.

Description

INCIBE has coordinated the publication of 2 high severity vulnerabilities affecting Trivision Camera NC227WF, version 5.8.0 which have been discovered by Andrea Brosio and Andris Raugulis.

These vulnerabilities have been assigned the following codes, CVSS v3.1 base score, CVSS vector and CWE vulnerability type for each vulnerability.

  • CVE-2025-1738: CVSS v3.1: 6.2 | CVSS AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. | CWE-598.
  • CVE-2025-1739: CVSS v3.1: 7.1 | CVSS AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N. | CWE-288.
Solution

There is no reported solution at this time. 

Detail
  • CVE-2025-1738: A Password Transmitted over Query String vulnerability has been found in Trivision Camera NC227WF v5.8.0 from TrivisionSecurity, exposing this sensitive information to a third party.
  • CVE-2025-1739: An Authentication Bypass vulnerability has been found in Trivision Camera NC227WF v5.8.0 from TrivisionSecurity. This vulnerability allows an attacker to retrieve administrator's credentials in cleartext by sending a request against the server using curl with random credentials to "/en/player/activex_pal.asp" and successfully authenticating the application.