An issue was discovered in za-internet C-MOR Video Surveillance 5.2401 and 6.00PL01. Due to insufficient input validation, the C-MOR web interface is vulnerable to OS command injection attacks. It was found out that different functionality is vulnerable to OS command injection attacks, for example for generating new X.509 certificates, or setting the time zone. These OS command injection vulnerabilities in the script generatesslreq.pml can be exploited as a low-privileged authenticated user to execute commands in the context of the Linux user www-data via shell metacharacters in HTTP POST data (e.g., the city parameter). The OS command injection vulnerability in the script settimezone.pml or setdatetime.pml (e.g., via the year parameter) requires an administrative user for the C-MOR web interface. By also exploiting a privilege-escalation vulnerability, it is possible to execute commands on the C-MOR system with root privileges.
Metrics
Affected Vendors & Products
References
History
Fri, 22 Nov 2024 12:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
References |
|
Wed, 09 Oct 2024 14:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Za-internet
Za-internet c-mor Video Surveillance |
|
Weaknesses | CWE-1289 | |
CPEs | cpe:2.3:a:za-internet:c-mor_video_surveillance:5.2401:*:*:*:*:*:*:* cpe:2.3:a:za-internet:c-mor_video_surveillance:6.00pl01:*:*:*:*:*:*:* |
|
Vendors & Products |
Za-internet
Za-internet c-mor Video Surveillance |
|
Metrics |
cvssV3_1
|
Wed, 09 Oct 2024 04:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | An issue was discovered in za-internet C-MOR Video Surveillance 5.2401 and 6.00PL01. Due to insufficient input validation, the C-MOR web interface is vulnerable to OS command injection attacks. It was found out that different functionality is vulnerable to OS command injection attacks, for example for generating new X.509 certificates, or setting the time zone. These OS command injection vulnerabilities in the script generatesslreq.pml can be exploited as a low-privileged authenticated user to execute commands in the context of the Linux user www-data via shell metacharacters in HTTP POST data (e.g., the city parameter). The OS command injection vulnerability in the script settimezone.pml or setdatetime.pml (e.g., via the year parameter) requires an administrative user for the C-MOR web interface. By also exploiting a privilege-escalation vulnerability, it is possible to execute commands on the C-MOR system with root privileges. | |
References |
|
MITRE
Status: PUBLISHED
Assigner: mitre
Published: 2024-10-09T00:00:00
Updated: 2024-10-09T14:07:50.564Z
Reserved: 2024-08-22T00:00:00
Link: CVE-2024-45179
Vulnrichment
Updated: 2024-10-09T04:03:35.949Z
NVD
Status : Awaiting Analysis
Published: 2024-10-09T04:15:09.487
Modified: 2024-11-21T09:37:25.703
Link: CVE-2024-45179
Redhat
No data.