| Title | Mercury MNVR816 Video Recorder 2.0.1.0.5 File and Directory Information Exposure |
|---|
| Description |
# An unauthenticated web interface in Mercury-MNVR816 Video Recorder
## Overview
* Type: Information leak
* Supplier: Mercury
* Victim URL: http://192.168.1.240/web-static/
* Product: MNVR816
* Affect version: (lastest) 2.0.1.0.5
* Firmware download: https://service.mercurycom.com.cn/download-2582.html
## Description
An unauthenticated web interface is able to leak local files of the affected video recorder devices. Without any permission, attackers can get sensitive information about the device from the victim URL.
The victim URL is a hidden interface and hasn't been protected by any authentication and authorization.
## Business Impact
The unauthenticated web interface could lead to serious damage. Thus the vulnerability is very dangerous which could also result in reputational damage for the business through the impact on customers' trust.
## Steps to Reproduce
Visit the victim URL from the web, and you can browse the local files without any permission.
|
|---|
| User | leetmoon (UID 42673) |
|---|
| Submission | 09/02/2024 09:28 (2 years ago) |
|---|
| Moderation | 09/10/2024 15:11 (8 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 276963 [Mercury MNVR816 up to 2.0.1.0.5 /web-static/ file access] |
|---|
| Points | 17 |
|---|