Unauthenticated Arbitrary User Addition and Code Execution Vulnerability in NUUO NVRmini2 through 3.11

Unauthenticated Arbitrary User Addition and Code Execution Vulnerability in NUUO NVRmini2 through 3.11

CVE-2022-23227 · CRITICAL Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

NUUO NVRmini2 through 3.11 allows an unauthenticated attacker to upload an encrypted TAR archive, which can be abused to add arbitrary users because of the lack of handle_import_user.php authentication. When combined with another flaw (CVE-2011-5325), it is possible to overwrite arbitrary files under the web root and achieve code execution as root.

Learn more about our Web App Pen Testing.