Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-45620 PoC — Aver PTC310UV2 安全漏洞

Source
https://github.com/weedl/CVE-2025-45620
Associated Vulnerability
Title:Aver PTC310UV2 安全漏洞 (CVE-2025-45620)
Description:AVer PTC310UV2是美国AVer公司的一款自动追踪摄影机。 Aver PTC310UV2 v.0.1.0000.59版本存在安全漏洞,该漏洞源于特制请求,可能导致获取敏感信息。
Readme
**Issue details**

Camera model PTC310UV2 running firmware version 0.1.0000.59. The vulnerability is found in the web interface that is used to access the camera. The vulnerability was found during a penetration test, thus, certain information in the PoC screenshots have been redacted.

**Description**

This disclosure contains two vulnerabilities that has been identified in the AVer firmware login web interface. It should be noted that I am not very familiar with any of your products, meaning that some terms might not be used correctly. 

This finding is a bit more comprehensive compared to CVE-2025-45619, though, it mainly relates to client-side authentication. 
Inspecting the source code of the web application reveals the authentication mechanism that is being applied. When the authentication mechanism is performed on the frontend, it means that the application has to pull credentials from somewhere, in this case an endpoint, and into the frontend. In this case, the function displayed below pulls credentials from the endpoint identified in the first finding to the frontend.
 
<img width="1000" alt="bilde" src="https://github.com/user-attachments/assets/e84a1476-b7e0-4c0b-945b-07d1ed677e62" />

The ‘SendAction(“Get=acc”, function(data)’ line makes a request to the first finding to pull the application which returns the credentials in a “username&password&” format. Next, the function parses the returned string and sets the username to “auth_user” and the password to “auth_pwd”. Finally, the function compares the values to those supplied by the user (name and pwd), and continues the login flow depending on whether the credentials are correct or not.
The application makes the call for credentials whether the credentials are valid or not. This means that if an attacker monitors the network traffic in their browser, the username or password will be exposed – unencrypted. This process is displayed in the figures below.

<img width="1000" alt="bilde" src="https://github.com/user-attachments/assets/ff3b001c-4ee8-4d98-ae6e-c357fff0b031" />  

<img width="1000" alt="bilde" src="https://github.com/user-attachments/assets/0c0db847-34c2-4281-ae94-9de625fc301a" />

Storing or transferring passwords in the frontend is in violation with best practice; instead, authentication should be handled securely using token-based methods (e.g., JWT, OAuth).
File Snapshot

 [4.0K]  /data/pocs/0cce4989d208e8d2cf4dc1c8f5dc462cf112ae12
└── [2.3K]  README.md

0 directories, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.