75 matches found
Ubiquiti Inc.: Camera adoption DoS - UniFi Protect
A vulnerability was found in UniFi Protect v1.13.7 and earlier that would allow an attacker to use spoofed cameras to perform a denial-of-service attack that could cause the UniFi Protect controller to crash. This vulnerability is fixed in UniFi Protect v1.17.1 and later versions. Affected...
Ubiquiti Inc.: View Only to Root Privilege Escalation on UniFi Protect
UniFi Protect v1.13.2 and prior containing vulnerabilities allowing users to run certain custom commands that can be used to assign themselves unauthorized roles, escalating their privileges. These vulnerabilities were found on UniFi Protect v1.13.2 and prior versions for Cloud Key Gen2 plus. The...
Ubiquiti Inc.: XW 6.2.0 firmware: 5 Reflected XSS issues in link.cgi
AirMax XW.v6.2.0 multiple end-points with parameters vulnerable to reflected cross site scripting XSS, allowing attackers to abuse the user' session information and/or account takeover of the admin user. These vulnerabilities were found on AirMax AirMax AirOS v6.2.0 and prior versions for TI, XW...
Ubiquiti Inc.: Unauthenticated request allows changing hostname
We have recently released new version of UniFi Cloud Key firmware that fixes a vulnerability found on v1.1.6 and prior for Cloud Key gen2 and Cloud Key gen2 Plus, according to the description below: Unauthenticated API requests allow changing device hostname. Affected Products: UniFi Cloud Key Ge...
Ubiquiti Inc.: SNMP Community String Disclosure to ReadOnly Users on EdgeSwitch
Read only users could execute unauthorized tasks and through SNMP community string pages. These vulnerabilities were found on EdgeSwitch 1G switch ESWH and EdgeSwitch 10G switch ESGH firmware v1.9.0. The fix for these vulnerabilities were included in the EdgeMax EdgeSwitch firmware v1.9.1 For mor...
Ubiquiti Inc.: Readonly to Root Privilege Escalation on EdgeSwitch
An authenticated read-only user can execute arbitrary shell commands over the HTTP interface, allowing them to escalate privileges. These vulnerabilities were found on EdgeSwitch 1G switch ESWH and EdgeSwitch 10G switch ESGH firmware v1.9.0. The fix for these vulnerabilities were included in the...
Ubiquiti Inc.: Web Server Predictable Session ID on EdgeSwitch
In EdgeSwitch legacy web interface the SIDSSL cookie for admin can be guessed, enabling the attacker to obtain high privileges and get a root shell by a Command injection. These vulnerabilities were found on EdgeSwitch 1G switch ESWH and EdgeSwitch 10G switch ESGH firmware v1.9.0. The fix for the...
Ubiquiti Inc.: Local File Disclosure (+XSS+CSRF) in AirOS 6.2.0 devices
There are certain end-points containing functionalities that are vulnerable to reflected cross site scripting XSS, allowing attackers to abuse the user' session information and/or account takeover of the admin user. Authenticated users can be persuaded to visit malicious web pages, which allows...
Ubiquiti Inc.: Privilege Escalation From user to SYSTEM via unauthenticated command execution
The vulnerability, or feature depending how you look at it, is the ability to execute commands using the evostream API interface that is exposed on localhost:7440. Since the evostream service is running as SYSTEM a user can use the launchprocess command,...
Ubiquiti Inc.: UniFi Video v3.10.1 (Windows) Local Privileges Escalation to SYSTEM from arbitrary filedelete and DLL hijack vulnerabilities.
Summary: UniFi Video v3.10.1 for Windows 7/8/10 x64 Local Privileges Escalation to SYSTEM from arbitrary file deletion and DLL hijack vulnerabilities. The issue was fixed by adjusting the .tsExport folder when the controller is running on Windows and adjusting the SafeDllSearchMode in the windows...
Ubiquiti Inc.: Catch mails sent to an SMTP Server over SSL using an Evil SMTP Server
A malicious actor setting up an SMTP proxy server between the UniFi Controller and their actual SMTP server can record their SMTP credentials for malicious use...
Ubiquiti Inc.: Login as root without password on EdgeSwitchX
In EdgeSwitch X v1.1.0 and prior, an unauthenticated user can use the "local port forwarding" and "dynamic port forwarding" SOCKS proxy functionalities. Remote attackers without credentials can exploit this bug to access local services or forward traffic through the device if SSH is enabled in th...
Ubiquiti Inc.: EdgeSwitch Command Injection
In EdgeSwitch X v1.1.0 and prior, a privileged user can execute arbitrary shell commands over the SSH CLI interface. This allows to execute shell commands under the root user...
Ubiquiti Inc.: CORS Misconfiguration leading to Private Information Disclosure
Due to mistake on te CORS policy configuration, the sites https://client.amplifi.com and https://protect.ubnt.com/ CORS policy allowed HTTP requests to be made from certain sites outside the .ubnt.com and .ui.com domains. This bug could be used to steal users information or force the user to...
Ubiquiti Inc.: Public Jenkins instance with /script enabled
Hi, First of all. I'm not 100% able to verify that this server is actually owned by Ubnt as there are multiple DNS Name's in the SSL certificate. DNS Name: .uum.com DNS Name: .ubnt.com DNS Name: .svc.ubnt.com DNS Name: .api.uum.com DNS Name: .svc.uum.com DNS Name: uum.com So, the server hosted on...
Ubiquiti Inc.: Reflected XSS in Nanostation Loco M2 - AirOS ver=6.1.7
AirMax XW.v6.2.0 and prior containing multiple end-points with parameters vulnerable to reflected cross site scripting XSS, allowing attackers to abuse the user' session information and/or account takeover of the admin user. These vulnerabilities were found on AirMax AirMax AirOS v6.2.0 and prior...
Ubiquiti Inc.: Two Factor Authentication Bypass
The researcher found a method to brute-force the 2FA code request in the www.ubnt.com login page. This method still requires the username/password from the account...
Ubiquiti Inc.: Bypass blocked profile protection on aircrm.ubnt.com
The researcher discovered a bypass in the "block profile publication" feature...
Ubiquiti Inc.: 3x Reflected XSS vectors for services.cgi (XM.v6.1.6, build 32290)
There are certain end-points containing functionalities that are vulnerable to reflected cross site scripting XSS, allowing attackers to abuse the user' session information and/or account takeover of the admin user. Authenticated users can be persuaded to visit malicious web pages, which allows...
Ubiquiti Inc.: UniFi Video Server web interface admin user Firmware Update path traversal leading to local system compromise
The UniFi Video Server for Windows web interface Firmware Update functionality, under certain circumstances, does not validate firmware download destinations to ensure they are within the intended destination directory tree. It accepts a request with a URL to firmware update information. If the...