CVE-2017-3185

moderate-risk
Published 2017-12-16

ACTi cameras including the D, B, I, and E series using firmware version A1D-500-V6.11.31-AC have a web application that uses the GET method to process requests that contain sensitive information such as user account name and password, which can expose that information through the browser's history, referrers, web logs, and other sources.

Do I need to act?

~
1.7% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Acti

References (8)

Third Party Advisory http://www.securityfocus.com/bid/96720/info
Press/Media Coverage https://twitter.com/Hfuhs/status/839252357221330944
Press/Media Coverage https://twitter.com/hack3rsca/status/839599437907386368
Third Party Advisory https://www.kb.cert.org/vuls/id/355151
Third Party Advisory http://www.securityfocus.com/bid/96720/info
Press/Media Coverage https://twitter.com/Hfuhs/status/839252357221330944
Press/Media Coverage https://twitter.com/hack3rsca/status/839599437907386368
Third Party Advisory https://www.kb.cert.org/vuls/id/355151
41
/ 100
moderate-risk
Severity 32/34 · Critical
Exploitability 4/34 · Minimal
Exposure 5/34 · Minimal