CVE-2018-10770
CRITICALShenZhen Anni 5 in 1 XVR Firmware - Unauthenticated Sensitive Information Exposure via download.rsp
Title source: llmDescription
download.rsp on ShenZhen Anni "5 in 1 XVR" devices allows remote attackers to download the configuration (without a login) to discover the password.
References (2)
Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
https://github.com/D0neMkj/EXP_IOT/tree/master/CAMERA/XVR_camera
Third Party Advisory x_refsource_misc
https://github.com/D0neMkj/EXP_IOT/blob/master/CAMERA/XVR_camera/readme
Scores
CVSS v3
9.8
EPSS
0.0160
EPSS Percentile
72.7%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-200
Status
published
Products (1)
annigroup/5_in_1_xvr_firmware
Published
May 09, 2018
Tracked Since
Feb 18, 2026