Vulnerability Note VU#882286
Samsung Web Viewer for Samsung DVR allows authentication bypass and password disclosure
CWE-313: Cleartext Storage in a File or on Disk - CVE-2013-3585
Web Viewer for Samsung DVR stores user credentials in plaintext allowing an attacker to parse saved credentials on the user setup webpage.
A remote unauthenticated attacker may be able to retrieve the device's administrator password, allowing them to directly access the device's configuration web page or system password configuration files.
Apply an Update
Restrict access to the Samsung Web Viewer for Samsung DVR interface
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Samsung||Affected||05 Jun 2013||03 Oct 2013|
CVSS Metrics (Learn More)
Thanks to Andrey Bezborodov for reporting this vulnerability.
This document was written by Adam Rauf.
- CVE IDs: CVE-2013-3585 CVE-2013-3586
- Date Public: 21 Aug 2013
- Date First Published: 21 Aug 2013
- Date Last Updated: 03 Oct 2013
- Document Revision: 33
If you have feedback, comments, or additional information about this vulnerability, please send us email.