| عنوان | HiDvr dashcam LF9 Pro Improper Access Controls |
|---|
| الوصف | Unauthenticated Access of Livestream and Download of Video Recordings
Once connected to the dashcam, an attacker can dump all video recordings via http://192.168.0.1:80/$filename without any http-level authentication. To obtain a list of video recording filenames, the following steps need to be performed via API calls:
-register the client
-check work state
-stop work mode
-get directory capabilities
-fetch file list
The livestream can also be fetched directly without further authentication at rtsp://192.168.0.1:554/livestream/1
An attacker connected to the dashcam's network can access the live feed and dump all sensitive video recordings. |
|---|
| المصدر | ⚠️ https://github.com/geo-chen/LF9 |
|---|
| المستخدم | geochen (UID 78995) |
|---|
| ارسال | 11/06/2025 05:27 PM (10 أشهر منذ) |
|---|
| الاعتدال | 23/06/2025 04:21 PM (12 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 313651 [NOYAFA/Xiami LF9 Pro حتى 20250611 RTSP Live Video Stream Endpoint تجاوز الصلاحيات] |
|---|
| النقاط | 20 |
|---|