ProVideoInstruments VECASTER-HD-H264 Firmware

An issue was discovered in the box application on HiSilicon based IPTV/H.264/H.265 video encoders. The file-upload endpoint does not enforce authentication. Attackers can send an unauthenticated HTTP request to upload a custom firmware component, possibly in conjunction with command injection, to achieve arbitrary code execution.

Published: 2020-10-06T13:05:36.000Z
Updated: 2024-08-04T15:12:07.203Z

An issue was discovered in the box application on HiSilicon based IPTV/H.264/H.265 video encoders. When the administrator configures a secret URL for RTSP streaming, the stream is still available via its default name such as /0. Unauthenticated attackers can view video streams that are meant to be private.

Published: 2020-10-06T13:02:48.000Z
Updated: 2024-08-04T15:12:08.336Z

An issue was discovered in the box application on HiSilicon based IPTV/H.264/H.265 video encoders. Attackers can use hard-coded credentials in HTTP requests to perform any administrative task on the device including retrieving the device's configuration (with the cleartext admin password), and uploading a custom firmware update, to ultimately achieve arbitrary code execution.

Published: 2020-10-06T13:00:33.000Z
Updated: 2024-08-04T15:12:08.683Z

An issue was discovered in the box application on HiSilicon based IPTV/H.264/H.265 video encoders. Attackers can send a crafted unauthenticated RTSP request to cause a buffer overflow and application crash. The device will not be able to perform its main purpose of video encoding and streaming for up to a minute, until it automatically reboots. Attackers can send malicious requests once a minute, effectively disabling the device.

Published: 2020-10-06T12:58:05.000Z
Updated: 2024-08-04T15:12:08.326Z