CVE-2020-22002
HIGHInim Smartliving SmartLAN/G/SI <=6.x - Unauthenticated Server-Side Request Forgery via GetImage Host Parameter
Title source: llmDescription
An Unauthenticated Server-Side Request Forgery (SSRF) vulnerability exists in Inim Electronics Smartliving SmartLAN/G/SI <=6.x within the GetImage functionality. The application parses user supplied data in the GET parameter 'host' to construct an image request to the service through onvif.cgi. Since no validation is carried out on the parameter, an attacker can specify an external domain and force the application to make an HTTP request to an arbitrary destination host.
References (2)
Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5545.php
Third Party Advisory, VDB Entry x_refsource_misc
https://exchange.xforce.ibmcloud.com/vulnerabilities/172839
Scores
CVSS v3
7.5
EPSS
0.0135
EPSS Percentile
68.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Details
CWE
CWE-918
Status
published
Products (6)
inim/smartliving_10100l_firmware
inim/smartliving_10100lg3_firmware
inim/smartliving_1050_firmware
inim/smartliving_1050g3_firmware
inim/smartliving_505_firmware
inim/smartliving_515_firmware
Published
Apr 29, 2021
Tracked Since
Feb 18, 2026