Frederik Beimgraben

**Name of the Vulnerable Software and Affected Versions** za-internet C-MOR Video Surveillance version 5.2401 **Description** An issue was discovered where sensitive information, such as login credentials of cameras, is stored in cleartext. This allows an attacker with filesystem access, potentially gained through exploiting a path traversal attack, to access the login data of all configured cameras or the configured FTP server. **Recommendations** For za-internet C-MOR Video Surveillance version 5.2401, consider restricting filesystem access to minimize the risk of exploitation. As a temporary workaround, restrict access to sensitive information storage until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** za-internet C-MOR Video Surveillance version 5.2401 **Description** An issue was discovered due to improper input validation, making the C-MOR web interface vulnerable to reflected cross-site scripting (XSS) attacks. Different functions are prone to reflected cross-site scripting attacks due to insufficient user input validation. **Recommendations** For version 5.2401, consider disabling the web interface temporarily until a patch is available to prevent exploitation of the reflected cross-site scripting vulnerability. Restrict access to the C-MOR web interface to minimize the risk of exploitation. Avoid using the web interface for sensitive operations until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** za-internet C-MOR Video Surveillance version 5.2401 **Description** An issue was discovered due to improper privilege management concerning sudo privileges, making C-MOR vulnerable to a privilege escalation attack. The Linux user www-data running the C-MOR web interface can execute some OS commands as root via Sudo without having to enter the root password. These commands include `cp`, `chown`, and `chmod`, which enable an attacker to modify the system's sudoers file in order to execute all commands with root privileges. Thus, it is possible to escalate the limited privileges of the user www-data to root privileges. **Recommendations** For version 5.2401, consider restricting the sudo privileges of the www-data user to prevent the execution of sensitive commands like `cp`, `chown`, and `chmod` until a patch is available. As a temporary workaround, consider disabling the sudo access for the www-data user to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** za-internet C-MOR Video Surveillance version 5.2401 **Description** An issue was discovered due to improper user input validation, making it possible to download arbitrary files from the system via a path traversal attack. Different functionalities are vulnerable to path traversal attacks, including the download functionality for backups provided by the script `download-bkf.pml` via the parameter `bkf`, and the script `show-movies.pml` via the parameter `cam`. This enables an authenticated user to download arbitrary files as Linux user `www-data` from the system. **Recommendations** For version 5.2401, consider disabling the `download-bkf.pml` and `show-movies.pml` scripts until a patch is available to prevent path traversal attacks. Restrict access to the `bkf` and `cam` parameters in the affected scripts to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** za-internet C-MOR Video Surveillance version 5.2401 **Description** An issue was discovered due to improper user input validation, allowing the upload of dangerous files, such as PHP code, to the system. The upload functionality for backup files permits an authenticated user to upload arbitrary files if the filename contains a .cbkf string. Uploaded files are stored in the "/srv/www/backups" directory and can be accessed via the URL https://<HOST>/backup/upload <FILENAME>. Low-privileged authenticated users can also exploit this file upload functionality due to broken access control. **Recommendations** For version 5.2401, consider disabling the file upload functionality for backup files until a patch is available. Restrict access to the "/srv/www/backups" directory to minimize the risk of exploitation. Avoid using filenames with the .cbkf string in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** za-internet C-MOR Video Surveillance version 5.2401 **Description** An issue was discovered due to improper or missing access control, allowing low privileged users to use administrative functions of the C-MOR web interface. Although different functions are only available to administrative users through the web application user interface, access to those functions is not checked on the server side. This allows low privileged users to send corresponding HTTP requests to the web server and use administrative functionality, such as downloading backup files or changing configuration settings. **Recommendations** For version 5.2401, consider restricting access to administrative functions until a proper fix is applied, by implementing server-side checks to ensure that only authorized users can access these features. As a temporary workaround, restrict low-privileged users from sending HTTP requests to the web server that could exploit this issue.

**Name of the Vulnerable Software and Affected Versions** za-internet C-MOR Video Surveillance versions 5.2401 through 6.00PL01 **Description** An issue was discovered in the C-MOR web interface, which is vulnerable to cross-site request forgery (CSRF) attacks due to missing protection mechanisms. The C-MOR web interface offers no protection against CSRF attacks. **Recommendations** For versions 5.2401 through 6.00PL01, consider disabling access to the C-MOR web interface until a patch is available to prevent potential CSRF attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** za-internet C-MOR Video Surveillance versions 5.2401 through 6.00PL01 **Description** An issue was discovered due to improper validation of user-supplied data, making different functionalities of the C-MOR web interface vulnerable to SQL injection attacks. This allows an authenticated user to execute arbitrary SQL commands in the context of the corresponding MySQL database. **Recommendations** For versions 5.2401 through 6.00PL01, as a temporary workaround, consider restricting access to the C-MOR web interface to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** za-internet C-MOR Video Surveillance versions 5.2401 through 6.00PL01 **Description** The issue is related to improper input validation in the C-MOR web interface, making it vulnerable to persistent cross-site scripting (XSS) attacks. This allows an attacker to inject malicious scripts remotely. The camera configuration is specifically vulnerable due to insufficient user input validation. **Recommendations** For versions 5.2401 and 6.00PL01, update the system with a patch as soon as possible and validate input/output to mitigate the risk. As a temporary workaround, consider restricting access to the C-MOR web interface until a patch is available.

**Name of the Vulnerable Software and Affected Versions** za-internet C-MOR Video Surveillance versions 5.2401 through 6.00PL01 **Description** An issue was discovered due to insufficient input validation, making the C-MOR web interface vulnerable to OS command injection attacks. The vulnerability can be exploited by a low-privileged authenticated user to execute commands in the context of the Linux user www-data via shell metacharacters in HTTP POST data, for example, the `city` parameter. Additionally, an administrative user can exploit the OS command injection vulnerability in the script settimezone.pml or setdatetime.pml, for instance, via the `year` parameter. By also exploiting a privilege-escalation vulnerability, it is possible to execute commands on the C-MOR system with root privileges. **Recommendations** For versions 5.2401 through 6.00PL01, consider disabling the generatesslreq.pml script and restricting access to the settimezone.pml and setdatetime.pml scripts until a patch is available. As a temporary workaround, avoid using the `city` and `year` parameters in the affected HTTP POST requests to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.