User Enumeration Vulnerability in Hikvision DVR Product
CVE-2020-7057

5.3MEDIUM

Key Information:

Vendor: Hikvision
Status: Ds-7204hghi-f1 Firmware
Vendor: CVE Published:; 14 January 2020

What is CVE-2020-7057?

The Hikvision DVR DS-7204HGHI-F1 device exhibits a user enumeration vulnerability that arises during failed login attempts via the ISAPI/Security/sessionLogin/capabilities endpoint. Depending on the existence of the user account, the device provides varying responses, making it easier for potential attackers to discern valid usernames. Although the device restricts the number of login attempts to about four or five, this oversight could significantly assist in crafting more targeted attacks against user accounts.

References

https://sku11army.blogspot.com/2020/01/hikvision-dvr-ds-7...

x_refsource_MISC

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 14, 2020
Vulnerability Reserved
Jan 14, 2020