CVE-2024-45171

Name of the Vulnerable Software and Affected Versions za-internet C-MOR Video Surveillance version 5.2401

Description An issue was discovered due to improper user input validation, allowing the upload of dangerous files, such as PHP code, to the system. The upload functionality for backup files permits an authenticated user to upload arbitrary files if the filename contains a .cbkf string. Uploaded files are stored in the "/srv/www/backups" directory and can be accessed via the URL https:///backup/upload . Low-privileged authenticated users can also exploit this file upload functionality due to broken access control.

Recommendations For version 5.2401, consider disabling the file upload functionality for backup files until a patch is available. Restrict access to the "/srv/www/backups" directory to minimize the risk of exploitation. Avoid using filenames with the .cbkf string in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.