CVE-2024-56897 — CRITICAL (9.8)

Vulnerability Description

Improper access control in the HTTP server in YI Car Dashcam v3.88 allows unrestricted file downloads, uploads, and API commands. API commands can also be made to make unauthorized modifications to the device settings, such as disabling recording, disabling sounds, factory reset.

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Yitechnology	Yi Car Dashcam Firmware	3.88
Yitechnology	Yi Car Dashcam	-

Related Weaknesses (CWE)

CWE-434

References

https://geochen.medium.com/cve-2024-56897-yi-car-dashcam-39304a4b21b4ExploitThird Party Advisory
https://github.com/geo-chen/YI-Smart-Dashcam/ExploitThird Party Advisory
https://yitechnology.com.sg/products/dash-camera/Broken Link

FAQ

What is CVE-2024-56897?

CVE-2024-56897 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Improper access control in the HTTP server in YI Car Dashcam v3.88 allows unrestricted file downloads, uploads, and API commands. API commands can also be made to make unauthorized modifications to th...

How severe is CVE-2024-56897?

CVE-2024-56897 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2024-56897?

Check the references section above for vendor advisories and patch information. Affected products include: Yitechnology Yi Car Dashcam Firmware, Yitechnology Yi Car Dashcam.