Server-Side Request Forgery Vulnerability in Haivision Products

Posted date 28/02/2024
3 - Medium
Affected Resources
  • Aviwest Manager;
  • Aviwest Streamhub.

INCIBE has coordinated the publication of a medium severity vulnerability affecting Haivision's Aviwest Manager and Aviwest Streamhub, two video monitoring and device management tools, which has been discovered by Konrad Kowal Karp of Telefónica Tech.

This vulnerability has been assigned the following code, CVSS v3.1 base score, CVSS vector and CWE vulnerability type:

  • CVE-2024-1965: 6.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N | CWE-918 

There is no reported solution at this time.

  • CVE-2024-1965: Server-Side Request Forgery vulnerability in Haivision's Aviwest Manager and Aviwest Steamhub. This vulnerability could allow an attacker to enumerate internal network configuration without the need for credentials. An attacker could compromise an internal server and retrieve requests sent by other users.