Ubiquiti Networks: UniFi Video Server - Arbitrary file upload as SYSTEM

2016-04-10T12:02:10
ID H1:129641
Type hackerone
Reporter hamlon
Modified 2018-11-07T11:47:19

Description

In UniFi Video Server prior to 3.3.0, due to lack of filename verification, it was possible to upload files to arbitrary locations using a especially crafted HTTP request. The exploit require valid credentials and is only exploitable in the Windows version.