CVE-2024-45178

Name of the Vulnerable Software and Affected Versions za-internet C-MOR Video Surveillance version 5.2401

Description An issue was discovered due to improper user input validation, making it possible to download arbitrary files from the system via a path traversal attack. Different functionalities are vulnerable to path traversal attacks, including the download functionality for backups provided by the script download-bkf.pml via the parameter bkf, and the script show-movies.pml via the parameter cam. This enables an authenticated user to download arbitrary files as Linux user www-data from the system.

Recommendations For version 5.2401, consider disabling the download-bkf.pml and show-movies.pml scripts until a patch is available to prevent path traversal attacks. Restrict access to the bkf and cam parameters in the affected scripts to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.