Hikvision DVR DS-7204HGHI-F1 V4.0.1 build 180903 Web Version sends a different response for failed ISAPI/Security/sessionLogin/capabilities login attempts depending on whether the user account exists, which might make it easier to enumerate users. However, only about 4 or 5 failed logins are allowed.
The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Ds-7204hghi-f1_firmware | Hikvision | 4.0.1-180903 (including) | 4.0.1-180903 (including) |
Common protection mechanisms include:
Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482].
Consider using libraries with authentication capabilities such as OpenSSL or the ESAPI Authenticator. [REF-45]