CVE-2019-25290

MEDIUM

Smartliving SmartLAN/G/SI <=6.x - SSRF

Title source: llm

Description

Smartliving SmartLAN/G/SI <=6.x contains an unauthenticated server-side request forgery vulnerability in the GetImage functionality through the 'host' parameter. Attackers can exploit the onvif.cgi endpoint by specifying external domains to bypass firewalls and perform network enumeration through arbitrary HTTP requests.

Exploits (1)

exploitdb WORKING POC

by LiquidWorm · textwebappshardware

https://www.exploit-db.com/exploits/47764

View Code ZIP pw:eip

References (5)

[Third Party Advisory] https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5545.php

[Exploit, Third Party Advisory] https://www.exploit-db.com/exploits/47764

[Exploit, Third Party Advisory] https://packetstormsecurity.com/files/155617

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/172839

[Various Sources] https://www.inim.biz/

Scores

CVSS v3 5.3

EPSS 0.0004

EPSS Percentile 12.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-918

Status published

Products (7)

INIM Electronics s.r.l./Smartliving SmartLAN/G/SI 10100L

INIM Electronics s.r.l./Smartliving SmartLAN/G/SI 10100L/G3

INIM Electronics s.r.l./Smartliving SmartLAN/G/SI 1050

INIM Electronics s.r.l./Smartliving SmartLAN/G/SI 1050/G3

INIM Electronics s.r.l./Smartliving SmartLAN/G/SI 505

INIM Electronics s.r.l./Smartliving SmartLAN/G/SI 515

INIM Electronics s.r.l./Smartliving SmartLAN/G/SI <=6.0

Published Jan 08, 2026

Tracked Since Feb 18, 2026