CVE-2023-5677

CWE-78OS Command InjectionCWE-94Code Injection3 documents3 sources
Severity
8.8HIGH
EPSS
0.1%
top 77.68%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
12
Axis M3024-lve FirmwareAxis M3025-ve FirmwareAxis M7014 Firmware+9 more
Timeline
PublishedFeb 5

Description

Brandon Rothel from QED Secure Solutions and Sam Hanson of Dragos have found that the VAPIX API tcptest.cgi did not have a sufficient input validation allowing for a possible remote code execution. This flaw can only be exploited after authenticating with an operator- or administrator-privileged service account. The impact of exploiting this vulnerability is lower with operator-privileges compared to administrator-privileges service accounts. Please refer to the Axis security advisory for more i

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:LExploitability: 2.8 | Impact: 3.4

Affected Packages12 packages

NVDaxis/m7014_firmware< 5.51.7.7
NVDaxis/m7016_firmware< 5.51.7.7
NVDaxis/p7214_firmware< 5.51.7.7
NVDaxis/p7216_firmware< 5.51.7.7
NVDaxis/q7401_firmware< 5.51.7.7

🔴Vulnerability Details

2
GHSA
GHSA-wpw2-f6x3-8f7j: Brandon Rothel from QED Secure Solutions has found that the VAPIX API tcptest2024-02-05
CVEList
CVE-2023-5677: Brandon Rothel from QED Secure Solutions and Sam Hanson of Dragos have found that the VAPIX API tcptest2024-02-05
CVE-2023-5677 (HIGH CVSS 8.8) | Brandon Rothel from QED Secure Solu | cvebase.io