Back

CVE-2024-45173

Sept. 5, 2024, 6:35 p.m.

Awaiting Analysis
CVE has been recently published to the CVE List and has been received by the NVD.

Products

C-MOR Video Surveillance

  • 5.2401

Source

cve@mitre.org

Tags

cve@mitre.org
CWE-269
2024-09-05
CVE-2024-45173

CVE-2024-45173 details

Published : Sept. 5, 2024, 3:15 p.m.
Last Modified : Sept. 5, 2024, 6:35 p.m.

Description

An issue was discovered in za-internet C-MOR Video Surveillance 5.2401. Due to improper privilege management concerning sudo privileges, C-MOR is vulnerable to a privilege escalation attack. The Linux user www-data running the C-MOR web interface can execute some OS commands as root via Sudo without having to enter the root password. These commands, for example, include cp, chown, and chmod, which enable an attacker to modify the system's sudoers file in order to execute all commands with root privileges. Thus, it is possible to escalate the limited privileges of the user www-data to root privileges.

CVSS Score

1 2 3 4 5 6 7 8.8 9 10

Weakness

Weakness Name Description
CWE-269 Improper Privilege Management The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

CVSS Data

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

8.8

Exploitability Score

2.8

Impact Score

5.9

Base Severity

HIGH

Vector String : CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

URL Source
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-027.txt cve@mitre.org
https://www.syss.de/pentest-blog/mehrere-sicherheitsschwachstellen-in-videoueberwachungssoftware-c-mor-syss-2024-020-bis-030 cve@mitre.org
This website uses the NVD API, but is not approved or certified by it.