汇总 barco 相关全部产品的 CVE 与安全漏洞情报,包括 CVSS、EPSS、公开时间与漏洞情报数据。
常见弱点模式包括 跨站脚本、路径处理缺陷、缓冲区溢出与内存损坏,在 软件部署与生产负载 使用场景中可能带来 应用崩溃、内存损坏与异常行为 等风险。
相关漏洞数据主要来源于公开漏洞披露与安全公告,可用于评估历史漏洞暴露面与修复优先级。
| CVE | 摘要 | 来源 | 最高 CVSS | EPSS % | 公开时间 | 更新时间 |
|---|---|---|---|---|---|---|
| CVE-2025-34103 | An unauthenticated command injection vulnerability exists in WePresent WiPG-1000 firmware versions prior to 2.2.3.0, due to improper input handling in the undocumented /cgi-bin/rdfs.cgi endpoint. The Client parameter is not sanitized before being passed to a system call, allowing an unauthenticated remote attacker to execute arbitrary commands as the web server user. | [email protected] | 9.3 | 4.23% | 2025-07-15 | 2026-06-17 |
| CVE-2022-26978 | Barco Control Room Management Suite web application, which is part of TransForm N before 3.14, is exposing a URL /checklogin.jsp endpoint. The os_username parameters is not correctly sanitized, leading to reflected XSS. | [email protected] | 6.1 | 0.51% | 2022-06-02 | 2026-06-17 |
| CVE-2022-26977 | Barco Control Room Management Suite web application, which is part of TransForm N before 3.14, is exposing a license file upload mechanism. Lack of input sanitization of the upload mechanism is leads to stored XSS. | [email protected] | 6.1 | 0.51% | 2022-06-02 | 2026-06-17 |
| CVE-2022-26976 | Barco Control Room Management Suite web application, which is part of TransForm N before 3.14, is exposing a license file upload mechanism. Lack of input sanitization in the upload mechanism is leads to reflected XSS. | [email protected] | 5.4 | 0.41% | 2022-06-02 | 2026-06-17 |
| CVE-2022-26975 | Barco Control Room Management Suite web application, which is part of TransForm N before 3.14, is exposing log files without authentication. | [email protected] | 7.5 | 0.92% | 2022-06-02 | 2026-06-17 |
| CVE-2022-26974 | Barco Control Room Management Suite web application, which is part of TransForm N before 3.14, is exposing a file upload mechanism. Lack of input sanitization in the upload mechanism leads to reflected XSS. | [email protected] | 6.1 | 0.51% | 2022-06-02 | 2026-06-17 |
| CVE-2022-26973 | Barco Control Room Management Suite web application, which is part of TransForm N before 3.14, is exposing a license file upload mechanism. By tweaking the license file name, the returned error message exposes internal directory path details. | [email protected] | 5.3 | 0.70% | 2022-06-02 | 2026-06-17 |
| CVE-2022-26972 | Barco Control Room Management Suite web application, which is part of TransForm N before 3.14, is exposing a URL /cgi-bin endpoint. The URL parameters are not correctly sanitized, leading to reflected XSS. | [email protected] | 6.1 | 0.51% | 2022-06-02 | 2026-06-17 |
| CVE-2022-26971 | Barco Control Room Management Suite web application, which is part of TransForm N before 3.14, is exposing a license file upload mechanism. This upload can be executed without authentication. | [email protected] | 5.3 | 0.66% | 2022-06-02 | 2026-06-17 |
| CVE-2022-26233 | Barco Control Room Management through Suite 2.9 Build 0275 was discovered to be vulnerable to directory traversal, allowing attackers to access sensitive information and components. Requests must begin with the "GET /..\.." substring. | [email protected] | 7.5 | 15.03% | 2022-04-03 | 2026-06-17 |
| CVE-2021-38142 | Barco MirrorOp Windows Sender before 2.5.3.65 uses cleartext HTTP and thus allows rogue software upgrades. An attacker on the local network can achieve remote code execution on any computer that tries to update Windows Sender due to the fact that the upgrade mechanism is not secured (is not protected with TLS). | [email protected] | 8.8 | 0.46% | 2021-09-07 | 2026-06-17 |
| CVE-2021-35482 | An issue was discovered in Barco MirrorOp Windows Sender before 2.5.4.70. An attacker in the local network is able to achieve Remote Code Execution (with user privileges of the local user) on any device that tries to connect to a WePresent presentation system. | [email protected] | 7.8 | 0.44% | 2021-07-21 | 2026-06-16 |
| CVE-2020-17504 | The NDN-210 has a web administration panel which is made available over https. There is a command injection issue that will allow authenticated users to the administration panel to perform authenticated remote code execution. An issue exists in ngpsystemcmd.php in which the http parameters "x_modules" and "y_modules" are not properly handled. The NDN-210 is part of Barco TransForm N solution and this vulnerability is patched from TransForm N version 3.8 onwards. | [email protected] | 7.2 | 2.85% | 2021-01-08 | 2026-06-16 |
| CVE-2020-17503 | The NDN-210 has a web administration panel which is made available over https. There is a command injection issue that will allow authenticated users to the administration panel to perform authenticated remote code execution. An issue exists in split_card_cmd.php in which the http parameter "locking" is not properly handled. The NDN-210 is part of Barco TransForm N solution and this vulnerability is patched from TransForm N version 3.8 onwards. | [email protected] | 7.2 | 2.85% | 2021-01-08 | 2026-06-16 |
| CVE-2020-17502 | Barco TransForm N before 3.8 allows Command Injection (issue 2 of 4). The NDN-210 has a web administration panel which is made available over https. There is a command injection issue that will allow authenticated users of the administration panel to perform authenticated remote code execution. An issue exists in split_card_cmd.php in which the http parameters xmodules, ymodules and savelocking are not properly handled. The NDN-210 is part of Barco TransForm N solution and includes the patch fro | [email protected] | 7.2 | 2.85% | 2021-01-08 | 2026-06-16 |
| CVE-2020-17500 | Barco TransForm NDN-210 Lite, NDN-210 Pro, NDN-211 Lite, and NDN-211 Pro before 3.8 allows Command Injection (issue 1 of 4). The NDN-210 has a web administration panel which is made available over https. The logon method is basic authentication. There is a command injection issue that will result in unauthenticated remote code execution in the username and password fields of the logon prompt. The NDN-210 is part of Barco TransForm N solution and includes the patch from TransForm N version 3.8 on | [email protected] | 9.8 | 3.94% | 2021-01-07 | 2026-06-16 |
| CVE-2020-28329 | Barco wePresent WiPG-1600W firmware includes a hardcoded API account and password that is discoverable by inspecting the firmware image. A malicious actor could use this password to access authenticated, administrative functions in the API. Affected Version(s): 2.5.1.8, 2.5.0.25, 2.5.0.24, 2.4.1.19. | [email protected] | 9.8 | 1.54% | 2020-11-24 | 2026-06-16 |
| CVE-2020-28334 | Barco wePresent WiPG-1600W devices use Hard-coded Credentials (issue 2 of 2). Affected Version(s): 2.5.1.8, 2.5.0.25, 2.5.0.24, 2.4.1.19. The Barco wePresent WiPG-1600W device has a hardcoded root password hash included in the firmware image. Exploiting CVE-2020-28329, CVE-2020-28330 and CVE-2020-28331 could potentially be used in a simple and automated exploit chain to go from unauthenticated remote attacker to root shell. | [email protected] | 9.8 | 4.71% | 2020-11-24 | 2026-06-16 |
| CVE-2020-28333 | Barco wePresent WiPG-1600W devices allow Authentication Bypass. Affected Version(s): 2.5.1.8. The Barco wePresent WiPG-1600W web interface does not use session cookies for tracking authenticated sessions. Instead, the web interface uses a "SEID" token that is appended to the end of URLs in GET requests. Thus the "SEID" would be exposed in web proxy logs and browser history. An attacker that is able to capture the "SEID" and originate requests from the same IP address (via a NAT device or web pro | [email protected] | 9.8 | 3.20% | 2020-11-24 | 2026-06-16 |
| CVE-2020-28332 | Barco wePresent WiPG-1600W devices download code without an Integrity Check. Affected Version(s): 2.5.1.8, 2.5.0.25, 2.5.0.24, 2.4.1.19. The Barco wePresent WiPG-1600W firmware does not perform verification of digitally signed firmware updates and is susceptible to processing and installing modified/malicious images. | [email protected] | 9.8 | 1.08% | 2020-11-24 | 2026-06-16 |