CVE-2024-56897

{"id": "CVE-2024-56897", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2025-02-24T16:15:12.463", "references": [{"url": "https://geochen.medium.com/cve-2024-56897-yi-car-dashcam-39304a4b21b4", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/geo-chen/YI-Smart-Dashcam/", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://yitechnology.com.sg/products/dash-camera/", "tags": ["Broken Link"], "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-434"}]}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-434"}]}], "descriptions": [{"lang": "en", "value": "Improper access control in the HTTP server in YI Car Dashcam v3.88 allows unrestricted file downloads, uploads, and API commands. API commands can also be made to make unauthorized modifications to the device settings, such as disabling recording, disabling sounds, factory reset."}, {"lang": "es", "value": " El control de acceso inadecuado en el servidor HTTP de YI Car Dashcam v3.88 permite descargas y cargas de archivos sin restricciones y comandos API. Los comandos API tambi\u00e9n se pueden utilizar para realizar modificaciones no autorizadas en la configuraci\u00f3n del dispositivo, como deshabilitar la grabaci\u00f3n, deshabilitar los sonidos o restablecer los valores de f\u00e1brica."}], "lastModified": "2025-03-03T20:15:43.540", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:yitechnology:yi_car_dashcam_firmware:3.88:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "63900D3F-0040-45DC-9C91-34E968E71E43"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:yitechnology:yi_car_dashcam:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "8489067E-ADD1-47A2-B515-256C4B276B17"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cve@mitre.org"}