CVE-2024-8160

CWE-12863 documents3 sources

Severity

2.7LOW

EPSS

0.1%

top 84.63%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Axis Communications AB Axis OS Axis Axis OS Axis Axis OS 2022 +1 more

Timeline

PublishedNov 26

Description

Erik de Jong, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API ftptest.cgi did not have a sufficient input validation allowing for a possible command injection leading to being able to transfer files from/to the Axis device. This flaw can only be exploited after authenticating with an administrator-privileged service account. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:LExploitability: 1.2 | Impact: 2.5

Affected Packages4 packages

▶NVDaxis/axis_os10.9.0 — 12.1.21

▶NVDaxis/axis_os_2022< 10.12.257

▶NVDaxis/axis_os_2024< 11.11.116

▶CVEListV5axis_communications_ab/axis_os10.9.0 — 10.12.257+1

🔴Vulnerability Details

GHSA

GHSA-qj8p-c5h3-g242: Erik de Jong, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API ftptest↗2024-11-26

▶

CVEList

CVE-2024-8160: Erik de Jong, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API ftptest↗2024-11-26

▶