Lucene search

AxisCVELIST:CVE-2023-5677

HistoryFeb 05, 2024 - 5:20 a.m.

CVE-2023-5677 Insufficient input validation in VAPIX API tcptext.cgi

2024-02-0505:20:24

Axis

www.cve.org

cve-2023-5677

vapix api

input validation

vulnerability

remote code execution

operator-privileges

administrator-privileges

axis os

security advisory

CVSS3

6.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

AI Score

8.9

Confidence

High

EPSS

0.001

Percentile

21.8%

JSON

Brandon
Rothel from QED Secure Solutions has found that the VAPIX API tcptest.cgi
did not have a sufficient input validation allowing for a possible remote code
execution. This flaw can only be exploited after authenticating with an
operator- or administrator-privileged service account. The impact of exploiting
this vulnerability is lower with operator-privileges compared to
administrator-privileges service accounts. Axis has released patched AXIS OS
versions for the highlighted flaw. Please refer to the Axis security advisory
for more information and solution.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "AXIS OS",
    "vendor": "Axis Communications AB",
    "versions": [
      {
        "status": "affected",
        "version": "AXIS OS 5.51"
      }
    ]
  }
]

References

www.axis.com/dam/public/a9/dd/f1/cve-2023-5677-en-US-424335.pdf