CVE-2024-45170

Name of the Vulnerable Software and Affected Versions za-internet C-MOR Video Surveillance version 5.2401

Description An issue was discovered due to improper or missing access control, allowing low privileged users to use administrative functions of the C-MOR web interface. Although different functions are only available to administrative users through the web application user interface, access to those functions is not checked on the server side. This allows low privileged users to send corresponding HTTP requests to the web server and use administrative functionality, such as downloading backup files or changing configuration settings.

Recommendations For version 5.2401, consider restricting access to administrative functions until a proper fix is applied, by implementing server-side checks to ensure that only authorized users can access these features. As a temporary workaround, restrict low-privileged users from sending HTTP requests to the web server that could exploit this issue.