Hikvision HikCentral Master Lite and Professional Affected by Multi Vulnerabilities
Hikvision, a leading provider of AIoT and video surveillance solutions, has disclosed three vulnerabilities affecting its HikCentral Master Lite and HikCentral Professional software. These flaws could allow attackers to execute malicious code, steal sensitive information, and disrupt system operations.
The vulnerabilities, identified as CVE-2024-47485, CVE-2024-47486, and CVE-2024-47487, range from CSV injection and cross-site scripting (XSS) to SQL injection flaws.
More specifically:
- CVE-2024-47485 is a CSV injection vulnerability that could allow an attacker to inject malicious data into a CSV file, leading to the execution of arbitrary commands on the system.
- CVE-2024-47486 is an XSS vulnerability that could allow an attacker to inject malicious scripts into web pages viewed by users, potentially stealing their session cookies or redirecting them to malicious websites.
- CVE-2024-47487 is a SQL injection vulnerability that could allow an attacker to execute malicious SQL queries, potentially gaining unauthorized access to sensitive data or modifying the system’s behavior.
These vulnerabilities were discovered and reported to Hikvision by security researchers Yousef Alfuhaid and Manh Doan Duc.
The company has addressed these vulnerabilities by releasing updated versions of the affected software. Users are strongly encouraged to update their systems to the latest versions to mitigate the risk of exploitation.
| Product Name | CVE ID | Affected Versions | Fixed Version |
| HikCentral Master Lite | CVE-2024-47485 | Versions between V2.0.0 and V2.2.1 | V2.3.0 |
| HikCentral Master Lite | CVE-2024-47486 | Versions below V2.2.1 (including V2.2.1) | V2.3.0 |
| HikCentral Professional | CVE-2024-47487 | Versions between V2.0.0 and V2.6.0 | V2.6.1 |
