We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2024-45171



Description

An issue was discovered in za-internet C-MOR Video Surveillance 5.2401. Due to improper user input validation, it is possible to upload dangerous files, for instance PHP code, to the C-MOR system. By analyzing the C-MOR web interface, it was found out that the upload functionality for backup files allows an authenticated user to upload arbitrary files. The only condition is that the filename contains a .cbkf string. Therefore, webshell.cbkf.php is considered a valid file name for the C-MOR web application. Uploaded files are stored within the directory "/srv/www/backups" on the C-MOR system, and can thus be accessed via the URL https://<HOST>/backup/upload_<FILENAME>. Due to broken access control, low-privileged authenticated users can also use this file upload functionality.

Reserved 2024-08-22 | Published 2024-09-05 | Updated 2024-09-06 | Assigner mitre

References

www.syss.de/...te/Publikationen/Advisories/SYSS-2024-026.txt

www.syss.de/...rwachungssoftware-c-mor-syss-2024-020-bis-030

cve.org (CVE-2024-45171)

nvd.nist.gov (CVE-2024-45171)

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2024-45171

Support options

Helpdesk Chat, Email, Knowledgebase
Subscribe to our newsletter to learn more about our work.