CVE-2023-21415
published 2023-10-16CVE-2023-21415: Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API overlay_del.cgi is vulnerable to path traversal attacks that allows for…
high8.1CVSS 3.1
AVNACLPRLUINSUCNIHAH
Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API overlay_del.cgi is vulnerable to path traversal attacks that allows for file deletion. This flaw can only be exploited after authenticating with an operator- or administrator-privileged service account. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| axis | axis_os | >= 11.0.81 < 11.6.94 | 11.6.94 |
| axis | axis_os | >= 6.50.5.3 < 6.50.5.14 | 6.50.5.14 |
| axis | axis_os_2016 | >= 6.50.2 < 6.50.5.2 | 6.50.5.2 |
| axis | axis_os_2018 | < 8.40.35 | 8.40.35 |
| axis | axis_os_2020 | < 9.80.47 | 9.80.47 |
| axis | axis_os_2022 | < 10.12.206 | 10.12.206 |
| axis_communications_ab | axis_os | — | — |