CVE-2020-8145

Name of the Vulnerable Software and Affected Versions UniFi Video Controller versions prior to 3.9.6

Description The UniFi Video Server web interface configuration restore functionality at the "backup" and "wizard" endpoints does not implement sufficient privilege checks. Low privileged users, belonging to the PUBLIC GROUP or CUSTOM GROUP groups, can access these endpoints and overwrite the current application configuration. This can be abused for various purposes, including adding new administrative users.

Recommendations For versions prior to 3.9.6, update to UniFi Video Controller version 3.9.6 or newer to resolve the issue. As a temporary workaround, consider restricting access to the "backup" and "wizard" endpoints to prevent low privileged users from overwriting the application configuration.