CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2024-45179 – C-MOR Video Surveillance 5.2401 / 6.00PL01 Command Injection
https://notcve.org/view.php?id=CVE-2024-45179
06 Sep 2024 — An issue was discovered in za-internet C-MOR Video Surveillance 5.2401 and 6.00PL01. Due to insufficient input validation, the C-MOR web interface is vulnerable to OS command injection attacks. It was found out that different functionality is vulnerable to OS command injection attacks, for example for generating new X.509 certificates, or setting the time zone. These OS command injection vulnerabilities in the script generatesslreq.pml can be exploited as a low-privileged authenticated user to execute comma... • https://packetstorm.news/files/id/181385 • CWE-1289: Improper Validation of Unsafe Equivalence in Input •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-45173 – C-MOR Video Surveillance 5.2401 / 6.00PL01 Privilege Escalation
https://notcve.org/view.php?id=CVE-2024-45173
05 Sep 2024 — An issue was discovered in za-internet C-MOR Video Surveillance 5.2401. Due to improper privilege management concerning sudo privileges, C-MOR is vulnerable to a privilege escalation attack. The Linux user www-data running the C-MOR web interface can execute some OS commands as root via Sudo without having to enter the root password. These commands, for example, include cp, chown, and chmod, which enable an attacker to modify the system's sudoers file in order to execute all commands with root privileges. T... • https://packetstorm.news/files/id/181382 • CWE-269: Improper Privilege Management •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-45171 – C-MOR Video Surveillance 5.2401 Remote Shell Upload
https://notcve.org/view.php?id=CVE-2024-45171
05 Sep 2024 — An issue was discovered in za-internet C-MOR Video Surveillance 5.2401. Due to improper user input validation, it is possible to upload dangerous files, for instance PHP code, to the C-MOR system. By analyzing the C-MOR web interface, it was found out that the upload functionality for backup files allows an authenticated user to upload arbitrary files. The only condition is that the filename contains a .cbkf string. Therefore, webshell.cbkf.php is considered a valid file name for the C-MOR web application. • https://packetstorm.news/files/id/181381 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-45175 – C-MOR Video Surveillance 5.2401 / 6.00PL01 Information Disclosure / Cleartext Secret
https://notcve.org/view.php?id=CVE-2024-45175
05 Sep 2024 — An issue was discovered in za-internet C-MOR Video Surveillance 5.2401. Sensitive information is stored in cleartext. It was found out that sensitive information, for example login credentials of cameras, is stored in cleartext. Thus, an attacker with filesystem access, for example exploiting a path traversal attack, has access to the login data of all configured cameras, or the configured FTP server. C-MOR Video Surveillance versions 5.2401 and 6.00PL01 stores sensitive information, such as credentials, in... • https://packetstorm.news/files/id/181383 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-312: Cleartext Storage of Sensitive Information •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 1CVE-2024-45178 – C-MOR Video Surveillance 5.2401 Path Traversal
https://notcve.org/view.php?id=CVE-2024-45178
05 Sep 2024 — An issue was discovered in za-internet C-MOR Video Surveillance 5.2401. Due to improper user input validation, it is possible to download arbitrary files from the C-MOR system via a path traversal attack. It was found out that different functionalities are vulnerable to path traversal attacks, due to insufficient user input validation. For instance, the download functionality for backups provided by the script download-bkf.pml is vulnerable to a path traversal attack via the parameter bkf. This enables an a... • https://packetstorm.news/files/id/181380 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 1CVE-2024-45170 – C-MOR Video Surveillance 5.2401 Improper Access Control
https://notcve.org/view.php?id=CVE-2024-45170
04 Sep 2024 — An issue was discovered in za-internet C-MOR Video Surveillance 5.2401. Due to improper or missing access control, low privileged users can use administrative functions of the C-MOR web interface. It was found out that different functions are only available to administrative users. However, access those functions is restricted via the web application user interface and not checked on the server side. Thus, by sending corresponding HTTP requests to the web server of the C-MOR web interface, low privileged us... • https://packetstorm.news/files/id/181379 • CWE-284: Improper Access Control •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2024-45177 – C-MOR Video Surveillance 5.2401 / 6.00PL01 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2024-45177
04 Sep 2024 — An issue was discovered in za-internet C-MOR Video Surveillance 5.2401 and 6.00PL01. Due to improper input validation, the C-MOR web interface is vulnerable to persistent cross-site scripting (XSS) attacks. It was found out that the camera configuration is vulnerable to a persistent cross-site scripting attack due to insufficient user input validation. C-MOR Video Surveillance versions 5.2401 and 6.00PL01 suffer from a persistent cross site scripting vulnerability. • https://packetstorm.news/files/id/181376 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 1CVE-2024-45174 – C-MOR Video Surveillance 5.2401 / 6.00PL01 SQL Injection
https://notcve.org/view.php?id=CVE-2024-45174
04 Sep 2024 — An issue was discovered in za-internet C-MOR Video Surveillance 5.2401 and 6.00PL01. Due to improper validation of user-supplied data, different functionalities of the C-MOR web interface are vulnerable to SQL injection attacks. This kind of attack allows an authenticated user to execute arbitrary SQL commands in the context of the corresponding MySQL database. C-MOR Video Surveillance versions 5.2401 and 6.00PL01 suffer from a remote SQL injection vulnerability. • https://packetstorm.news/files/id/181378 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-45172 – C-MOR Video Surveillance 5.2401 / 6.00PL01 Cross Site Request Forgery
https://notcve.org/view.php?id=CVE-2024-45172
04 Sep 2024 — An issue was discovered in za-internet C-MOR Video Surveillance 5.2401 and 6.00PL01. Due to missing protection mechanisms, the C-MOR web interface is vulnerable to cross-site request forgery (CSRF) attacks. The C-MOR web interface offers no protection against cross-site request forgery (CSRF) attacks. C-MOR Video Surveillance versions 5.2401 and 6.00PL01 suffer from a cross site request forgery vulnerability. • https://packetstorm.news/files/id/181377 • CWE-352: Cross-Site Request Forgery (CSRF) •