// For flags

CVE-2020-8145

 

Severity Score

6.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

The UniFi Video Server (Windows) web interface configuration restore functionality at the “backup” and “wizard” endpoints does not implement sufficient privilege checks. Low privileged users, belonging to the PUBLIC_GROUP or CUSTOM_GROUP groups, can access these endpoints and overwrite the current application configuration. This can be abused for various purposes, including adding new administrative users. Affected Products: UniFi Video Controller v3.9.3 (for Windows 7/8/10 x64) and prior. Fixed in UniFi Video Controller v3.9.6 and newer.

La funcionalidad de restauración de la configuración de la interfaz web de UniFi Video Server (Windows) en los endpoints “backup” y “wizard” no implementa suficientes comprobaciones de privilegios. Los usuarios poco privilegiados, que pertenecen a los grupos PUBLIC_GROUP o CUSTOM_GROUP, pueden acceder a estos endpoints y sobrescribir la configuración actual de la aplicación. Esto puede ser abusado para varios fines, incluyendo la adición de nuevos usuarios administrativos. Productos afectados: UniFi Video Controller versión v3.9.3 (para Windows 7/8/10 x64) y anteriores. Corregido en UniFi Video Controller versión v3.9.6 y más recientes.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None
Attack Vector
Network
Attack Complexity
Low
Authentication
Single
Confidentiality
None
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2020-01-28 CVE Reserved
  • 2020-04-01 CVE Published
  • 2023-03-08 EPSS Updated
  • 2024-08-04 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Ui
Search vendor "Ui"
 Unifi Video
Search vendor "Ui" for product "Unifi Video"
 <= 3.9.3
Search vendor "Ui" for product "Unifi Video" and version " <= 3.9.3"
-
Affected
in Microsoft
Search vendor "Microsoft"
 Windows
Search vendor "Microsoft" for product "Windows"
--
Safe