CVE-2018-9157

CWE-434 — Unrestricted File Upload3 documents3 sources

Severity

7.5HIGH

EPSS

1.7%

top 17.82%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Axis M1033-w Firmware

Timeline

PublishedApr 1

Latest updateMay 14

Description

An issue was discovered on AXIS M1033-W (IP camera) Firmware version 5.40.5.1 devices. The upload web page doesn't verify the file type, and an attacker can upload a webshell by making a fileUpload.shtml request for a custom .shtml file, which is interpreted by the Apache HTTP Server mod_include module with "<!--#exec cmd=" support. The file needs to include a specific string to meet the internal system architecture. After the webshell upload, an attacker can use the webshell to perform remote c…

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.6 | Impact: 5.9

Affected Packages1 packages

▶NVDaxis/m1033-w_firmware5.40.5.1

🔴Vulnerability Details

GHSA

GHSA-q2pc-jfhq-74q4: ** DISPUTED ** An issue was discovered on AXIS M1033-W (IP camera) Firmware version 5↗2022-05-14

▶

CVEList

CVE-2018-9157: An issue was discovered on AXIS M1033-W (IP camera) Firmware version 5↗2018-04-01

▶