Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API irissetup.cgi was vulnerable to path traversal attacks that allows for file deletion. This flaw can only be exploited after authenticating with an operator- or administrator-privileged service account. The impact of exploiting this vulnerability is lower with operator service accounts and limited to non-system files compared to administrator-privileges. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.
References
Link | Resource |
---|---|
https://www.axis.com/dam/public/49/93/55/cve-2023-21418-en-US-417792.pdf | Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
28 Nov 2023, 21:34
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.1 |
First Time |
Axis
Axis axis Os 2020 Axis axis Os Axis axis Os 2022 Axis axis Os 2018 |
|
References | () https://www.axis.com/dam/public/49/93/55/cve-2023-21418-en-US-417792.pdf - Vendor Advisory | |
CPE | cpe:2.3:o:axis:axis_os_2018:*:*:*:*:lts:*:*:* cpe:2.3:o:axis:axis_os:*:*:*:*:active:*:*:* cpe:2.3:o:axis:axis_os_2022:*:*:*:*:lts:*:*:* cpe:2.3:o:axis:axis_os:*:*:*:*:-:*:*:* cpe:2.3:o:axis:axis_os_2020:*:*:*:*:lts:*:*:* |
|
CWE | CWE-22 |
21 Nov 2023, 07:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-11-21 07:15
Updated : 2023-12-10 15:26
NVD link : CVE-2023-21418
Mitre link : CVE-2023-21418
CVE.ORG link : CVE-2023-21418
JSON object : View
Products Affected
axis
- axis_os_2020
- axis_os
- axis_os_2022
- axis_os_2018
CWE
CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')