Brandon
Rothel from QED Secure Solutions has found that the VAPIX API tcptest.cgi
did not have a sufficient input validation allowing for a possible remote code
execution. This flaw can only be exploited after authenticating with an
operator- or administrator-privileged service account. The impact of exploiting
this vulnerability is lower with operator-privileges compared to
administrator-privileges service accounts. Axis has released patched AXIS OS
versions for the highlighted flaw. Please refer to the Axis security advisory
for more information and solution.
References
| Link | Resource |
|---|---|
| https://www.axis.com/dam/public/a9/dd/f1/cve-2023-5677-en-US-424335.pdf | Vendor Advisory |
Configurations
Configuration 1 (hide)
| AND |
|
Configuration 2 (hide)
| AND |
|
Configuration 3 (hide)
| AND |
|
Configuration 4 (hide)
| AND |
|
Configuration 5 (hide)
| AND |
|
Configuration 6 (hide)
| AND |
|
Configuration 7 (hide)
| AND |
|
Configuration 8 (hide)
| AND |
|
Configuration 9 (hide)
| AND |
|
Configuration 10 (hide)
| AND |
|
Configuration 11 (hide)
| AND |
|
History
13 Feb 2024, 00:38
| Type | Values Removed | Values Added |
|---|---|---|
| CWE | CWE-94 | |
| CPE | cpe:2.3:o:axis:m3025-ve_firmware:*:*:*:*:*:*:*:* cpe:2.3:o:axis:q7424-r_mk_ii_firmware:*:*:*:*:*:*:*:* cpe:2.3:o:axis:m7014_firmware:*:*:*:*:*:*:*:* cpe:2.3:h:axis:p1214-e:-:*:*:*:*:*:*:* cpe:2.3:o:axis:q7404_firmware:*:*:*:*:*:*:*:* cpe:2.3:h:axis:m3024-lve:-:*:*:*:*:*:*:* cpe:2.3:h:axis:q7404:-:*:*:*:*:*:*:* cpe:2.3:o:axis:m3024-lve_firmware:*:*:*:*:*:*:*:* cpe:2.3:o:axis:q7401_firmware:*:*:*:*:*:*:*:* cpe:2.3:o:axis:p7216_firmware:*:*:*:*:*:*:*:* cpe:2.3:o:axis:m7016_firmware:*:*:*:*:*:*:*:* cpe:2.3:o:axis:p7214_firmware:*:*:*:*:*:*:*:* cpe:2.3:h:axis:q7401:-:*:*:*:*:*:*:* cpe:2.3:h:axis:m7014:-:*:*:*:*:*:*:* cpe:2.3:h:axis:q7424-r_mk_ii:-:*:*:*:*:*:*:* cpe:2.3:h:axis:m3025-ve:-:*:*:*:*:*:*:* cpe:2.3:h:axis:q7414:-:*:*:*:*:*:*:* cpe:2.3:h:axis:p7214:-:*:*:*:*:*:*:* cpe:2.3:h:axis:m7016:-:*:*:*:*:*:*:* cpe:2.3:o:axis:q7414_firmware:*:*:*:*:*:*:*:* cpe:2.3:h:axis:p7216:-:*:*:*:*:*:*:* cpe:2.3:o:axis:p1214-e_firmware:*:*:*:*:*:*:*:* |
|
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 8.8 |
| First Time |
Axis q7404 Firmware
Axis m3024-lve Axis p7216 Axis m3025-ve Axis p7214 Axis q7404 Axis m3025-ve Firmware Axis p1214-e Axis q7401 Axis p7216 Firmware Axis p7214 Firmware Axis q7424-r Mk Ii Firmware Axis m7016 Axis q7414 Firmware Axis m7016 Firmware Axis m7014 Axis p1214-e Firmware Axis m7014 Firmware Axis q7401 Firmware Axis q7414 Axis m3024-lve Firmware Axis Axis q7424-r Mk Ii |
|
| References | () https://www.axis.com/dam/public/a9/dd/f1/cve-2023-5677-en-US-424335.pdf - Vendor Advisory |
05 Feb 2024, 13:54
| Type | Values Removed | Values Added |
|---|---|---|
| Summary |
|
05 Feb 2024, 06:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2024-02-05 06:15
Updated : 2024-02-13 00:38
NVD link : CVE-2023-5677
Mitre link : CVE-2023-5677
CVE.ORG link : CVE-2023-5677
JSON object : View
Products Affected
axis
- p7214_firmware
- m3025-ve_firmware
- q7424-r_mk_ii_firmware
- m7016_firmware
- p1214-e_firmware
- p7216_firmware
- q7401
- m3024-lve
- p7216
- q7404
- q7424-r_mk_ii
- m7014
- q7414_firmware
- q7401_firmware
- m7016
- m7014_firmware
- p1214-e
- m3025-ve
- p7214
- m3024-lve_firmware
- q7414
- q7404_firmware
CWE
CWE-94
Improper Control of Generation of Code ('Code Injection')