CVE-2020-11681

Castel NextGen DVR v1.0.0 stores and displays credentials for the associated SMTP server in cleartext. Low privileged users can exploit this to create an administrator user and obtain the SMTP credentials.

FULLDISC: http://seclists.org/fulldisclosure/2020/Jun/8
MISC: http://packetstormsecurity.com/files/157954/Castel-NextGen-DVR-1.0.0-Bypass-CSRF-Disclosure.html
MISC: https://www.securitymetrics.com/blog/attackers-known-unknown-authorization-bypass
CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11681

14 years
257 countries
685k users
4536k calculations
Logo zoneway.cz
Logo ipcamtalk.com
Logo reolink.com
Logo www.inv-technology.com
Logo www.power-shop.gr
Logo www.i4wifi.cz