CVE-2023-21417

Name of the Vulnerable Software and Affected Versions AXIS OS versions prior to the patched version

Description The issue is related to the VAPIX API in the AXIS OS, specifically with the manageoverlayimage.cgi endpoint. It allows for path traversal attacks, enabling an attacker to delete arbitrary files after authenticating with an operator- or administrator-privileged service account. The impact of exploiting this issue is lower with operator service accounts and is limited to non-system files compared to administrator-privileges.

Recommendations For versions prior to the patched version, update to the patched AXIS OS version as released by Axis to resolve the issue. As a temporary workaround, consider restricting access to the manageoverlayimage.cgi endpoint until a patch is applied. Additionally, limit the use of administrator-privileged service accounts to minimize the risk of exploitation.