13 matches found
CVE-2024-8772
51l3nc3, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API managedoverlayimages.cgi was vulnerable to a race condition attack allowing for an attacker to block access to the overlay configuration page in the web interface of the Axis device. This flaw can only be exploited...
CVE-2024-6979
Amin Aliakbari, member of the AXIS OS Bug Bounty Program, has found a broken access control which would lead to less-privileged operator- and/or viewer accounts having more privileges than designed. The risk of exploitation is very low as it requires complex steps to execute, including knowing of...
CVE-2024-6509
Marinus Pfund, member of the AXIS OS Bug Bounty Program, has found the VAPIX API alwaysmulti.cgi was vulnerable for file globbing which could lead to resource exhaustion of the Axis device. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security...
CVE-2024-6979
Amin Aliakbari, member of the AXIS OS Bug Bounty Program, has found a broken access control which would lead to less-privileged operator- and/or viewer accounts having more privileges than designed. The risk of exploitation is very low as it requires complex steps to execute, including knowing of...
CVE-2024-6979
CVE-2024-6979 affects Axis OS, where a broken access control could allow less-privileged operator- and/or viewer-accounts to gain higher privileges. The issue is described as requiring complex steps and social engineering to trigger administrator configurations, with exploitation risk considered ...
CVE-2024-6173
CVE-2024-6173 concerns Axis OS: a Guard Tour VAPIX API parameter allows arbitrary values, enabling an attacker to block access to the guard tour configuration page in the Axis web interface. Reported by AXIS OS Bug Bounty participant, the flaw’s impact is described as blocking access (availabilit...
CVE-2024-6509
Marinus Pfund, member of the AXIS OS Bug Bounty Program, has found the VAPIX API alwaysmulti.cgi was vulnerable for file globbing which could lead to resource exhaustion of the Axis device. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security...
CVE-2024-0055
Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX APIs mediaclip.cgi and playclip.cgi was vulnerable for file globbing which could lead to a resource exhaustion attack. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis...
CVE-2023-21418
Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API irissetup.cgi was vulnerable to path traversal attacks that allows for file deletion. This flaw can only be exploited after authenticating with an operator- or administrator-privileged service account. The impact...
CVE-2023-21418
Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API irissetup.cgi was vulnerable to path traversal attacks that allows for file deletion. This flaw can only be exploited after authenticating with an operator- or administrator-privileged service account. The impact...
CVE-2023-21418
AXIS OS vulnerability CVE-2023-21418 affects the VAPIX API irissetup.cgi, where path traversal could delete files. Exploitation requires authentication with an operator- or administrator-privileged service account, with impact higher on administrator privileges and lower on operator accounts (non...
CVE-2023-21417
Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API manageoverlayimage.cgi was vulnerable to path traversal attacks that allows for file/folder deletion. This flaw can only be exploited after authenticating with an operator- or administrator- privileged service...
CVE-2023-21415
Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API overlaydel.cgi is vulnerable to path traversal attacks that allows for file deletion. This flaw can only be exploited after authenticating with an operator- or administrator-privileged service account. Axis has...