Filtered by vendor Reolink
Subscribe
Total
99 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-55621 | 1 Reolink | 1 Reolink | 2025-09-04 | N/A | 6.5 MEDIUM |
| An Insecure Direct Object Reference (IDOR) vulnerability in Reolink v4.54.0.4.20250526 allows unauthorized attackers to access and download other users' profile photos via a crafted URL. NOTE: this is disputed by the Supplier because it is intentional behavior; the photos are part of a social platform on which users expect to find one another. | |||||
| CVE-2025-55622 | 1 Reolink | 1 Reolink | 2025-09-01 | N/A | 6.5 MEDIUM |
| Reolink v4.54.0.4.20250526 was discovered to contain a task hijacking vulnerability due to inappropriate taskAffinity settings. NOTE: this is disputed by the Supplier because it is intentional behavior to ensure a predictable user experience. | |||||
| CVE-2025-55625 | 1 Reolink | 1 Reolink | 2025-09-01 | N/A | 6.5 MEDIUM |
| An open redirect vulnerability in Reolink v4.54.0.4.20250526 allows attackers to redirect users to a malicious site via a crafted URL. NOTE: this is disputed by the Supplier because it is intentional behavior that supports redirection to Alexa URLs, which are not guaranteed to remain at the same domain indefinitely. | |||||
| CVE-2025-55619 | 1 Reolink | 1 Reolink | 2025-08-28 | N/A | 9.8 CRITICAL |
| Reolink v4.54.0.4.20250526 was discovered to contain a hardcoded encryption key and initialization vector. An attacker can leverage this vulnerability to decrypt access tokens and web session tokens stored inside the app via reverse engineering. | |||||
| CVE-2025-55620 | 1 Reolink | 1 Reolink | 2025-08-28 | N/A | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in the valuateJavascript() function of Reolink v4.54.0.4.20250526 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | |||||
| CVE-2025-55623 | 1 Reolink | 1 Reolink | 2025-08-28 | N/A | 5.4 MEDIUM |
| An issue in the lock screen component of Reolink v4.54.0.4.20250526 allows attackers to bypass authentication via using an ADB (Android Debug Bridge). | |||||
| CVE-2025-55624 | 1 Reolink | 1 Reolink | 2025-08-28 | N/A | 5.3 MEDIUM |
| An intent redirection vulnerability in Reolink v4.54.0.4.20250526 allows unauthorized attackers to access internal functions or access non-public components. | |||||
| CVE-2021-40407 | 1 Reolink | 2 Rlc-410w, Rlc-410w Firmware | 2025-04-02 | 7.5 HIGH | 7.2 HIGH |
| An OS command injection vulnerability exists in the device network settings functionality of reolink RLC-410W v3.0.0.136_20121102. At [1] or [2], based on DDNS type, the ddns->domain variable, that has the value of the domain parameter provided through the SetDdns API, is not validated properly. This would lead to an OS command injection. An attacker can send an HTTP request to trigger this vulnerability. | |||||
| CVE-2019-11001 | 1 Reolink | 10 C1 Pro, C1 Pro Firmware, C2 Pro and 7 more | 2025-03-14 | 9.0 HIGH | 7.2 HIGH |
| On Reolink RLC-410W, C1 Pro, C2 Pro, RLC-422W, and RLC-511W devices through 1.0.227, an authenticated admin can use the "TestEmail" functionality to inject and run OS commands as root, as demonstrated by shell metacharacters in the addr1 field. | |||||
| CVE-2022-21801 | 1 Reolink | 2 Rlc-410w, Rlc-410w Firmware | 2024-11-21 | 7.8 HIGH | 7.5 HIGH |
| A denial of service vulnerability exists in the netserver recv_command functionality of reolink RLC-410W v3.0.0.136_20121102. A specially-crafted network request can lead to a reboot. An attacker can send a malicious packet to trigger this vulnerability. | |||||
| CVE-2022-21796 | 1 Reolink | 2 Rlc-410w, Rlc-410w Firmware | 2024-11-21 | 6.4 MEDIUM | 8.2 HIGH |
| A memory corruption vulnerability exists in the netserver parse_command_list functionality of reolink RLC-410W v3.0.0.136_20121102. A specially-crafted HTTP request can lead to an out-of-bounds write. An attacker can send an HTTP request to trigger this vulnerability. | |||||
| CVE-2022-21236 | 1 Reolink | 2 Rlc-410w, Rlc-410w Firmware | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| An information disclosure vulnerability exists due to a web server misconfiguration in the Reolink RLC-410W v3.0.0.136_20121102. A specially-crafted HTTP request can lead to a disclosure of sensitive information. An attacker can send an HTTP request to trigger this vulnerability. | |||||
| CVE-2022-21217 | 1 Reolink | 2 Rlc-410w, Rlc-410w Firmware | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| An out-of-bounds write vulnerability exists in the device TestEmail functionality of reolink RLC-410W v3.0.0.136_20121102. A specially-crafted network request can lead to an out-of-bounds write. An attacker can send an HTTP request to trigger this vulnerability. | |||||
| CVE-2022-21199 | 1 Reolink | 2 Rlc-410w, Rlc-410w Firmware | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
| An information disclosure vulnerability exists due to the hardcoded TLS key of reolink RLC-410W v3.0.0.136_20121102. A specially-crafted man-in-the-middle attack can lead to a disclosure of sensitive information. An attacker can perform a man-in-the-middle attack to trigger this vulnerability. | |||||
| CVE-2022-21134 | 1 Reolink | 2 Rlc-410w, Rlc-410w Firmware | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| A firmware update vulnerability exists in the "update" firmware checks functionality of reolink RLC-410W v3.0.0.136_20121102. A specially-crafted HTTP request can lead to firmware update. An attacker can send a sequence of requests to trigger this vulnerability. | |||||
| CVE-2021-44419 | 1 Reolink | 2 Rlc-410w, Rlc-410w Firmware | 2024-11-21 | 6.8 MEDIUM | 7.7 HIGH |
| A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102. A specially-crafted HTTP request can lead to a reboot. GetMdAlarm param is not object. An attacker can send an HTTP request to trigger this vulnerability. | |||||
| CVE-2021-44418 | 1 Reolink | 2 Rlc-410w, Rlc-410w Firmware | 2024-11-21 | 6.8 MEDIUM | 7.7 HIGH |
| A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102. A specially-crafted HTTP request can lead to a reboot. GetMdState param is not object. An attacker can send an HTTP request to trigger this vulnerability. | |||||
| CVE-2021-44417 | 1 Reolink | 2 Rlc-410w, Rlc-410w Firmware | 2024-11-21 | 6.8 MEDIUM | 7.7 HIGH |
| A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102. A specially-crafted HTTP request can lead to a reboot. GetAlarm param is not object. An attacker can send an HTTP request to trigger this vulnerability. | |||||
| CVE-2021-44416 | 1 Reolink | 2 Rlc-410w, Rlc-410w Firmware | 2024-11-21 | 6.8 MEDIUM | 7.7 HIGH |
| A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102. A specially-crafted HTTP request can lead to a reboot. Disconnect param is not object. An attacker can send an HTTP request to trigger this vulnerability. | |||||
| CVE-2021-44415 | 1 Reolink | 2 Rlc-410w, Rlc-410w Firmware | 2024-11-21 | 6.8 MEDIUM | 7.7 HIGH |
| A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102. A specially-crafted HTTP request can lead to a reboot. ModifyUser param is not object. An attacker can send an HTTP request to trigger this vulnerability. | |||||