Vulnerability — CVE-2022-23227

CVE-2022-23227

Reference to the description:: https://nvd.nist.gov/vuln/detail/CVE-2022-23227
Description:: NUUO NVRmini2 through 3.11 allows an unauthenticated attacker to upload an encrypted TAR archive, which can be abused to add arbitrary users because of the lack of handle_import_user.php authentication. When combined with another flaw (CVE-2011-5325), it is possible to overwrite arbitrary files under the web root and achieve code execution as root.
Last updated date:: 01/03/2025

ACTIVELY EXPLOITED

Type:: exploitation
Confidence:: HIGH
Date of publishing:: 12/18/2024
Reference url to background: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

Type:: exploit
Confidence:: HIGH
Date of publishing:: 01/21/2022
Reference url to background: https://github.com/pedrib/PoC/blob/master/advisories/NUUO/nuuo_nvrmini_round2.mkd

Type:: exploit
Confidence:: HIGH
Date of publishing:: 01/21/2022
Reference url to background: https://github.com/rapid7/metasploit-framework/pull/16044

Type:: exploit
Confidence:: HIGH
Date of publishing:: 01/21/2022
Reference url to background: https://portswigger.net/daily-swig/researcher-discloses-alleged-zero-day-vulnerabilities-in-nuuo-nvrmini2-recording-device