CVE-2021-43442

Name of the Vulnerable Software and Affected Versions i3 International Inc Annexxus Camera versions V5.0.9 build 150615 (Ax78) through V5.2.0 build 150317 (Ax46)

Description A Logic Flaw issue exists due to a failure to restrict the creation of more than one administrator account. This can be bypassed by parameter manipulation using PUT and DELETE requests, and by calling the 'UserPermission' endpoint with the ID of a created account and setting it to 'admin' userType, successfully adding a second administrative account.

Recommendations For versions V5.0.9 build 150615 (Ax78), V5.0.9 build 151106 (Ax68), and V5.2.0 build 150317 (Ax46), consider disabling the 'UserPermission' endpoint until a patch is available to prevent the creation of unauthorized administrative accounts. Restrict access to the userType parameter in the 'UserPermission' endpoint to minimize the risk of exploitation. Avoid using the PUT and DELETE requests to manipulate parameters until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.