CVE-2024-45173

Name of the Vulnerable Software and Affected Versions za-internet C-MOR Video Surveillance version 5.2401

Description An issue was discovered due to improper privilege management concerning sudo privileges, making C-MOR vulnerable to a privilege escalation attack. The Linux user www-data running the C-MOR web interface can execute some OS commands as root via Sudo without having to enter the root password. These commands include cp, chown, and chmod, which enable an attacker to modify the system's sudoers file in order to execute all commands with root privileges. Thus, it is possible to escalate the limited privileges of the user www-data to root privileges.

Recommendations For version 5.2401, consider restricting the sudo privileges of the www-data user to prevent the execution of sensitive commands like cp, chown, and chmod until a patch is available. As a temporary workaround, consider disabling the sudo access for the www-data user to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.