This vulnerability (with proof of concept (PoC) code) affects DVR/NVR devices built using the HiSilicon hi3520d and similar system on a chip (SoC).
Exploiting the vulnerabilities lead to unauthorized remote code execution (RCE) using only the web interface, causing full takeover of the exploited device
Severity: high
Fingerprint: 321975614123c6c05f83e99b4ecaa5e1398b5c42398b5c42398b5c42398b5c42
Found HiSiliconDVR firmware: Hardware: JvFeng_OverSea AHB7004T-MHV2 Vulnerable to multiple issues : LFI, possibly RCE
An attacker can make use of this vulnerability to step out of the root directory and access other parts of the file system.
This might give the attacker the ability to view restricted files, which could provide the attacker with more information required to further compromise the system.
https://www.acunetix.com/websitesecurity/directory-traversal/
Severity: critical
Fingerprint: ac4d53c4832b2491c591c07df231d2bcf231d2bc8117f206b4436c27ccc1d846
Found host file trough Directory traversal: 127.0.0.1 localhost # the following lines are desirable for ipv6 capable hosts ::1 ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters 127.0.1.1 gwg