Skip to main content

C Mor Video Surveillance CVE-2024-45179

HIGH
Improper Validation of Unsafe Equivalence in Input (CWE-1289)
2024-10-09 cve@mitre.org
7.2
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
7.2 HIGH
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Primary rating from Vendor (mitre) · only source for this CVE.

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Oct 09, 2024 - 04:15 cve.org
HIGH 7.2

DescriptionCVE.org

An issue was discovered in za-internet C-MOR Video Surveillance 5.2401 and 6.00PL01. Due to insufficient input validation, the C-MOR web interface is vulnerable to OS command injection attacks. It was found out that different functionality is vulnerable to OS command injection attacks, for example for generating new X.509 certificates, or setting the time zone. These OS command injection vulnerabilities in the script generatesslreq.pml can be exploited as a low-privileged authenticated user to execute commands in the context of the Linux user www-data via shell metacharacters in HTTP POST data (e.g., the city parameter). The OS command injection vulnerability in the script settimezone.pml or setdatetime.pml (e.g., via the year parameter) requires an administrative user for the C-MOR web interface. By also exploiting a privilege-escalation vulnerability, it is possible to execute commands on the C-MOR system with root privileges.

AnalysisAI

An issue was discovered in za-internet C-MOR Video Surveillance 5.2401 and 6.00PL01. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified under CWE-1289. An issue was discovered in za-internet C-MOR Video Surveillance 5.2401 and 6.00PL01. Due to insufficient input validation, the C-MOR web interface is vulnerable to OS command injection attacks. It was found out that different functionality is vulnerable to OS command injection attacks, for example for generating new X.509 certificates, or setting the time zone. These OS command injection vulnerabilities in the script generatesslreq.pml can be exploited as a low-privileged authenticated user to execute commands in the context of the Linux user www-data via shell metacharacters in HTTP POST data (e.g., the city parameter). The OS command injection vulnerability in the script settimezone.pml or setdatetime.pml (e.g., via the year parameter) requires an administrative user for the C-MOR web interface. By also exploiting a privilege-escalation vulnerability, it is possible to execute commands on the C-MOR system with root privileges. Affected products include: C-Mor C-Mor Video Surveillance.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2024-45175 HIGH POC
8.8 Sep 05

An issue was discovered in za-internet C-MOR Video Surveillance 5.2401. Rated high severity (CVSS 8.8), this vulnerabili

CVE-2024-45171 HIGH POC
8.8 Sep 05

An issue was discovered in za-internet C-MOR Video Surveillance 5.2401. Rated high severity (CVSS 8.8), this vulnerabili

CVE-2024-45173 HIGH POC
8.8 Sep 05

An issue was discovered in za-internet C-MOR Video Surveillance 5.2401. Rated high severity (CVSS 8.8), this vulnerabili

CVE-2024-45174 HIGH POC
8.1 Sep 04

An issue was discovered in za-internet C-MOR Video Surveillance 5.2401 and 6.00PL01. Rated high severity (CVSS 8.1), thi

CVE-2024-45170 HIGH POC
8.1 Sep 04

An issue was discovered in za-internet C-MOR Video Surveillance 5.2401. Rated high severity (CVSS 8.1), this vulnerabili

CVE-2024-45178 HIGH POC
7.1 Sep 05

An issue was discovered in za-internet C-MOR Video Surveillance 5.2401. Rated high severity (CVSS 7.1), this vulnerabili

CVE-2024-45172 MEDIUM POC
6.8 Sep 04

An issue was discovered in za-internet C-MOR Video Surveillance 5.2401 and 6.00PL01. Rated medium severity (CVSS 6.8), t

CVE-2024-45176 MEDIUM POC
6.1 Sep 05

An issue was discovered in za-internet C-MOR Video Surveillance 5.2401. Rated medium severity (CVSS 6.1), this vulnerabi

CVE-2024-45177 MEDIUM POC
5.4 Sep 04

An issue was discovered in za-internet C-MOR Video Surveillance 5.2401 and 6.00PL01. Rated medium severity (CVSS 5.4), t

Share

CVE-2024-45179 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy