Axis Os
Monthly
The VAPIX API mediaclip.cgi that did not have a sufficient input validation allowing for a possible remote code execution. This flaw can only be exploited after authenticating with an operator- or administrator- privileged service account. [CVSS 7.1 HIGH]
An ACAP configuration file has improper permissions and lacks input validation, which could potentially lead to privilege escalation. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.
An ACAP configuration file has improper permissions, which could allow command injection and potentially lead to privilege escalation. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.
ACAP applications can gain elevated privileges due to improper input validation, potentially leading to privilege escalation. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.
The ACAP Application framework could allow privilege escalation through a symlink attack. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
An ACAP configuration file lacked sufficient input validation, which could allow a path traversal attack leading to potential privilege escalation. Rated medium severity (CVSS 6.4). No vendor patch available.
A malicious ACAP application can gain access to admin-level service account credentials used by legitimate ACAP applications, leading to potential privilege escalation of the malicious ACAP. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable. No vendor patch available.
An ACAP configuration file lacked sufficient input validation, which could allow for arbitrary code execution. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.
ACAP applications can be executed with elevated privileges, potentially leading to privilege escalation. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.
An ACAP configuration file lacked sufficient input validation, which could allow for arbitrary code execution. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.
Privilege escalation vulnerability in Axis Communications' VAPIX Device Configuration framework that allows a local, authenticated user with lower privileges to escalate to administrator-level access. Discovered during a penetration test by Truesec, this flaw affects Axis network devices and cameras utilizing the vulnerable VAPIX framework. With a CVSS score of 8.8 and local attack vector, the vulnerability poses significant risk to organizations deploying Axis devices in multi-user or untrusted environments, though it requires prior authentication and local access to exploit.
Privilege escalation in Axis VAPIX framework.
During an annual penetration test conducted on behalf of Axis Communications, Truesec discovered a flaw in the VAPIX Device Configuration framework that allowed for unauthenticated username. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
51l3nc3, a member of the AXIS OS Bug Bounty Program, has found that the VAPIX API uploadoverlayimage.cgi did not have sufficient input validation to allow an attacker to upload files to block access. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
During an annual penetration test conducted on behalf of Axis Communication, Truesec discovered a flaw in the VAPIX Device Configuration framework that could lead to an incorrect user privilege level. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
During an annual penetration test conducted on behalf of Axis Communication, Truesec discovered a flaw in the ACAP Application framework that allowed applications to access restricted D-Bus methods. Rated high severity (CVSS 8.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Girishunawane, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API dynamicoverlay.cgi did not have a sufficient input validation allowing for a possible command injection leading. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable. No vendor patch available.
The VAPIX API mediaclip.cgi that did not have a sufficient input validation allowing for a possible remote code execution. This flaw can only be exploited after authenticating with an operator- or administrator- privileged service account. [CVSS 7.1 HIGH]
An ACAP configuration file has improper permissions and lacks input validation, which could potentially lead to privilege escalation. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.
An ACAP configuration file has improper permissions, which could allow command injection and potentially lead to privilege escalation. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.
ACAP applications can gain elevated privileges due to improper input validation, potentially leading to privilege escalation. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.
The ACAP Application framework could allow privilege escalation through a symlink attack. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
An ACAP configuration file lacked sufficient input validation, which could allow a path traversal attack leading to potential privilege escalation. Rated medium severity (CVSS 6.4). No vendor patch available.
A malicious ACAP application can gain access to admin-level service account credentials used by legitimate ACAP applications, leading to potential privilege escalation of the malicious ACAP. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable. No vendor patch available.
An ACAP configuration file lacked sufficient input validation, which could allow for arbitrary code execution. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.
ACAP applications can be executed with elevated privileges, potentially leading to privilege escalation. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.
An ACAP configuration file lacked sufficient input validation, which could allow for arbitrary code execution. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.
Privilege escalation vulnerability in Axis Communications' VAPIX Device Configuration framework that allows a local, authenticated user with lower privileges to escalate to administrator-level access. Discovered during a penetration test by Truesec, this flaw affects Axis network devices and cameras utilizing the vulnerable VAPIX framework. With a CVSS score of 8.8 and local attack vector, the vulnerability poses significant risk to organizations deploying Axis devices in multi-user or untrusted environments, though it requires prior authentication and local access to exploit.
Privilege escalation in Axis VAPIX framework.
During an annual penetration test conducted on behalf of Axis Communications, Truesec discovered a flaw in the VAPIX Device Configuration framework that allowed for unauthenticated username. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
51l3nc3, a member of the AXIS OS Bug Bounty Program, has found that the VAPIX API uploadoverlayimage.cgi did not have sufficient input validation to allow an attacker to upload files to block access. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
During an annual penetration test conducted on behalf of Axis Communication, Truesec discovered a flaw in the VAPIX Device Configuration framework that could lead to an incorrect user privilege level. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
During an annual penetration test conducted on behalf of Axis Communication, Truesec discovered a flaw in the ACAP Application framework that allowed applications to access restricted D-Bus methods. Rated high severity (CVSS 8.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Girishunawane, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API dynamicoverlay.cgi did not have a sufficient input validation allowing for a possible command injection leading. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable. No vendor patch available.