CVE-2023-21415

Name of the Vulnerable Software and Affected Versions AXIS OS versions prior to the patched version

Description The issue is related to the VAPIX API in the AXIS OS, specifically with the overlay del.cgi endpoint, which is vulnerable to path traversal attacks. This allows an attacker, after authenticating with an operator- or administrator-privileged service account, to delete arbitrary files. The exploitation of this issue can be done remotely.

Recommendations For versions prior to the patched version, update to the latest AXIS OS version that includes the fix for this issue. As a temporary workaround, consider restricting access to the overlay del.cgi endpoint until a patch is available. Avoid using the overlay del.cgi endpoint with operator- or administrator-privileged service accounts until the issue is resolved.