vendor:
Digital video recorders
by:
Paul Davies, Andrew Tierney, Brendan Coles
N/A
CVSS
N/A
Remote command execution
Unknown
CWE
Product Name: Digital video recorders
Affected Version From: Unknown
Affected Version To: Unknown
Patch Exists: No
Related CWE:
CPE: Unknown
Platforms Tested: Linux
Unknown
MVPower DVR Shell Unauthenticated Command Execution
This module exploits an unauthenticated remote command execution vulnerability in MVPower digital video recorders. The 'shell' file on the web interface executes arbitrary operating system commands in the query string. This module was tested successfully on a MVPower model TV-7104HE with firmware version 1.8.4 115215B9 (Build 2014/11/17). The TV-7108HE model is also reportedly affected, but untested.
Mitigation:
Unknown
