Nuuo: community verdicts
3 notable / known-exploited Nuuo CVEs the community has triaged.
ⓘ Not an exhaustive list: we focus on the findings that matter (exploited / notable). For every Nuuo CVE, see NVD ↗.
- CVE-2018-14933CRIT 9.8KEVEPSS 94%
upgrade_handle.php on NUUO NVRmini devices allows Remote Command Execution via shell metacharacters in the uploaddir parameter for a writeuploaddir command.
- CVE-2022-23227CRIT 9.8KEVEPSS 49%
NUUO NVRmini2 through 3.11 allows an unauthenticated attacker to upload an encrypted TAR archive, which can be abused to add arbitrary users because of the lack of handle_import_user.php authentication. When combined with another flaw (CVE-2011-5325), it is possible to overwrite arbitrary files under the web root and achieve code execution as root.
- CVE-2022-25521CRIT 9.8Real · low riskEPSS 2%
NUUO v03.11.00 was discovered to contain access control issue.