Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
NVD Vulnerability Details :
CVE-2023-21418
Modified
More InfoOfficial Page
Source-product-security@axis.com
View Known Exploited Vulnerability (KEV) details
Published At-21 Nov, 2023 | 07:15
Updated At-08 Nov, 2024 | 09:15

Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API irissetup.cgi was vulnerable to path traversal attacks that allows for file deletion. This flaw can only be exploited after authenticating with an operator- or administrator-privileged service account. The impact of exploiting this vulnerability is lower with operator service accounts and limited to non-system files compared to administrator-privileges. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.17.1HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
Secondary3.17.1HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
Type: Primary
Version: 3.1
Base score: 7.1
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
Type: Secondary
Version: 3.1
Base score: 7.1
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
CPE Matches
axis
axis
>>axis_os>>Versions before 6.50.5.15(exclusive)
cpe:2.3:o:axis:axis_os:*:*:*:*:-:*:*:*
axis
axis
>>axis_os>>Versions before 11.7.57(exclusive)
cpe:2.3:o:axis:axis_os:*:*:*:*:active:*:*:*
axis
axis
>>axis_os_2018>>Versions before 8.40.35(exclusive)
cpe:2.3:o:axis:axis_os_2018:*:*:*:*:lts:*:*:*
axis
axis
>>axis_os_2020>>Versions before 9.80.49(exclusive)
cpe:2.3:o:axis:axis_os_2020:*:*:*:*:lts:*:*:*
axis
axis
>>axis_os_2022>>Versions before 10.12.213(exclusive)
cpe:2.3:o:axis:axis_os_2022:*:*:*:*:lts:*:*:*
Weaknesses
CWE IDTypeSource
CWE-22Primarynvd@nist.gov
CWE-35Secondaryproduct-security@axis.com
CWE ID: CWE-22
Type: Primary
Source: nvd@nist.gov
CWE ID: CWE-35
Type: Secondary
Source: product-security@axis.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://www.axis.com/dam/public/49/93/55/cve-2023-21418-en-US-417792.pdfproduct-security@axis.com
Vendor Advisory
Hyperlink: https://www.axis.com/dam/public/49/93/55/cve-2023-21418-en-US-417792.pdf
Source: product-security@axis.com
Resource:
Vendor Advisory
Change History
0Changes found
Details not found