CVE-2023-5800Path Traversal: '.../...//' in OS

CWE-35Path Traversal: '.../...//'CWE-94Code Injection3 documents3 sources
Severity
8.8HIGHNVD
CNA5.4
EPSS
0.2%
top 61.22%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Axis OSAxis OS 2020Axis OS 2022+1 more
Timeline
PublishedFeb 5

Description

Vintage, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API create_overlay.cgi did not have a sufficient input validation allowing for a possible remote code execution. This flaw can only be exploited after authenticating with an operator- or administrator-privileged service account. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages4 packages

NVDaxis/axis_os< 11.8.61
NVDaxis/axis_os_2020< 9.80.55
NVDaxis/axis_os_2022< 10.12.220
CVEListV5axis_communications_ab/axis_osAXIS OS 11.8, 10.12, 9.80, 8.40, 6.50

🔴Vulnerability Details

2
GHSA
GHSA-p8wr-r5ww-35j3: Vintage, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API create_overlay2024-02-05
CVEList
Insufficient input validation in VAPIX API create_overlay.cgi2024-02-05
CVE-2023-5800 — Path Traversal: '.../...//' in Axis OS | cvebase