CVE-2024-45179

Name of the Vulnerable Software and Affected Versions za-internet C-MOR Video Surveillance versions 5.2401 through 6.00PL01

Description An issue was discovered due to insufficient input validation, making the C-MOR web interface vulnerable to OS command injection attacks. The vulnerability can be exploited by a low-privileged authenticated user to execute commands in the context of the Linux user www-data via shell metacharacters in HTTP POST data, for example, the city parameter. Additionally, an administrative user can exploit the OS command injection vulnerability in the script settimezone.pml or setdatetime.pml, for instance, via the year parameter. By also exploiting a privilege-escalation vulnerability, it is possible to execute commands on the C-MOR system with root privileges.

Recommendations For versions 5.2401 through 6.00PL01, consider disabling the generatesslreq.pml script and restricting access to the settimezone.pml and setdatetime.pml scripts until a patch is available. As a temporary workaround, avoid using the city and year parameters in the affected HTTP POST requests to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.