CVE-2019-25290 | THREATINT

Description

Smartliving SmartLAN/G/SI <=6.x contains an unauthenticated server-side request forgery vulnerability in the GetImage functionality through the 'host' parameter. Attackers can exploit the onvif.cgi endpoint by specifying external domains to bypass firewalls and perform network enumeration through arbitrary HTTP requests.

PUBLISHED Reserved 2026-01-06 | Published 2026-01-07 | Updated 2026-01-08 | Assigner VulnCheck

MEDIUM: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L

MEDIUM: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Problem types

Server-Side Request Forgery (SSRF)

Product status

<=6.x

affected

505

affected

515

affected

1050

affected

1050/G3

affected

10100L

affected

10100L/G3

affected

Credits

Sipke Mellema finder

References

www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5545.php (Zero Science Lab Vulnerability Advisory) third-party-advisory

www.exploit-db.com/exploits/47764 (Exploit Database Entry 47764) exploit

packetstormsecurity.com/files/155617 (Packet Storm Security Exploit File) exploit

exchange.xforce.ibmcloud.com/vulnerabilities/172839 (IBM X-Force Vulnerability Exchange Entry) vdb-entry

www.inim.biz/ (INIM Vendor Homepage) product

cve.org (CVE-2019-25290)

nvd.nist.gov (CVE-2019-25290)

Download JSON