[Suggested description]
An issue was discovered in Siime Eye 14.1.00000001.3.330.0.0.3.14.
A command injection vulnerability resides in the HOST/IP section of the
record settings menu in the webserver running on the device. By
injecting Bash commands here, the device executes arbitrary code with
root privileges (all of the device's services are running as root).

------------------------------------------

[Vulnerability Type]
Incorrect Access Control

------------------------------------------

[Vendor of Product]
Svakom

------------------------------------------

[Affected Product Code Base]
Siime eye - 14.1.00000001.3.330.0.0.3.14

------------------------------------------

[Affected Component]
Siime Eye, web interface

------------------------------------------

[Attack Type]
Context-dependent

------------------------------------------

[Impact Code execution]
true

------------------------------------------

[Attack Vectors]
An attacker needs to be connected to the device's access point and have access to the admin panel (e.g through sniffing or bruteforcing the credentials)

------------------------------------------

[Reference]
https://www.pentestpartners.com/security-blog/vulnerable-wi-fi-dildo-camera-endoscope-yes-really/
N/A

------------------------------------------

[Has vendor confirmed or acknowledged the vulnerability?]
true

------------------------------------------

[Discoverer]
Willem Westerhof, Jasper Nota, Edwin Gozeling from Qbit cyber security in assignment for the Consumentenbond In addition, Pentest partners discovered this as well but did not request CVE's.
Use CVE-2020-11920.