CVE-2024-8160
published 2024-11-26CVE-2024-8160: Erik de Jong, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API ftptest.cgi did not have a sufficient input validation allowing for a…
low2.7CVSS 3.1
AVNACLPRHUINSUCNILAN
Erik de Jong, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API ftptest.cgi did not have a sufficient input validation allowing for a possible command injection leading to being able to transfer files from/to the Axis device. This flaw can only be exploited after authenticating with an administrator-privileged service account.
Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| axis | axis_os | >= 10.9.0 < 12.1.21 | 12.1.21 |
| axis | axis_os_2022 | < 10.12.257 | 10.12.257 |
| axis | axis_os_2024 | < 11.11.116 | 11.11.116 |
| axis_communications_ab | axis_os | >= 10.9.0 < 10.12.257 | 10.12.257 |
| axis_communications_ab | axis_os | >= 12.0.0 < 12.1.21 | 12.1.21 |