CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-47782 – motionEye vulnerable to RCE in add_camera Function Due to unsafe command execution
https://notcve.org/view.php?id=CVE-2025-47782
14 May 2025 — motionEye is an online interface for the software motion, a video surveillance program with motion detection. In versions 0.43.1b1 through 0.43.1b3, using a constructed (camera) device path with the `add`/`add_camera` motionEye web API allows an attacker with motionEye admin user credentials to execute any command within a non-interactive shell as motionEye run user, `motion` by default. The vulnerability has been patched with motionEye v0.43.1b4. As a workaround, apply the patch manually. • https://github.com/motioneye-project/motioneye/issues/3142 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 7.5EPSS: 89%CPEs: 1EXPL: 1CVE-2022-25568
https://notcve.org/view.php?id=CVE-2022-25568
24 Mar 2022 — MotionEye v0.42.1 and below allows attackers to access sensitive information via a GET request to /config/list. To exploit this vulnerability, a regular user password must be unconfigured. MotionEye versiones v0.42.1 y anteriores, permiten a atacantes acceder a información confidencial por medio de una petición GET a /config/list. Para explotar esta vulnerabilidad, debe desconfigurarse la contraseña de un usuario normal • https://github.com/ccrisan/motioneye/issues/2292 • CWE-1188: Initialization of a Resource with an Insecure Default •
CVSS: 7.2EPSS: 19%CPEs: 2EXPL: 1CVE-2021-44255
https://notcve.org/view.php?id=CVE-2021-44255
31 Jan 2022 — Authenticated remote code execution in MotionEye <= 0.42.1 and MotioneEyeOS <= 20200606 allows a remote attacker to upload a configuration backup file containing a malicious python pickle file which will execute arbitrary code on the server. Una ejecución de código remoto autenticado en MotionEye versiones anteriores a 0.42.1 incluyéndola y MotioneEyeOS versiones anteriores a 20200606 incluyéndola, permite a un atacante remoto cargar un archivo de copia de seguridad de la configuración que contiene un archi... • https://github.com/pizza-power/motioneye-authenticated-RCE • CWE-306: Missing Authentication for Critical Function •