Axis OS Vulnerability Could Lead to Command Injection and File Transfer
CVE-2024-8160

3.8LOW

Key Information:

Vendor: Axis Communications Ab
Status: Axis Os
Vendor: CVE Published:; 26 November 2024

What is CVE-2024-8160?

Erik de Jong, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API ftptest.cgi did not have a sufficient input validation allowing for a possible command injection leading to being able to transfer files from/to the Axis device. This flaw can only be exploited after authenticating with an administrator-privileged service account. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.

Affected Version(s)

AXIS OS 10.9.0 < 10.12.257

AXIS OS 12.0.0 < 12.1.21

AXIS OS 11.0.0 < 11.11.116

References

https://www.axis.com/dam/public/permalink/231071/cve-2024...

CVSS V3.1

Score:

3.8

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 26, 2024
Vulnerability Reserved
Aug 26, 2024

Axis Communications Ab

What is CVE-2024-8160?

Affected Version(s)

References

CVSS V3.1

Timeline