CVE-2020-8267 — MEDIUM (5.3)

Q: How severe is CVE-2020-8267?

CVE-2020-8267 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2020-8267?

Check the references section above for vendor advisories and patch information. Affected products include: Ui Unifi Protect Firmware.

Vulnerability Description

A security issue was found in UniFi Protect controller v1.14.10 and earlier.The authentication in the UniFi Protect controller API was using “x-token” improperly, allowing attackers to use the API to send authenticated messages without a valid token.This vulnerability was fixed in UniFi Protect v1.14.11 and newer.This issue does not impact UniFi Cloud Key Gen 2 plus.This issue does not impact UDM-Pro customers with UniFi Protect stopped.Affected Products:UDM-Pro firmware 1.7.2 and earlier.UNVR firmware 1.3.12 and earlier.Mitigation:Update UniFi Protect to v1.14.11 or newer version; the UniFi Protect controller can be updated through your UniFi OS settings.Alternatively, you can update UNVR and UDM-Pro to:- UNVR firmware to 1.3.15 or newer.- UDM-Pro firmware to 1.8.0 or newer.

CVSS Score

5.3

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Ui	Unifi Protect Firmware	<= 1.14.10

Related Weaknesses (CWE)

CWE-287

References

https://community.ui.com/releases/UniFi-Dream-Machine-Firmware-1-8-0/deabc255-a0PatchVendor Advisory
https://community.ui.com/releases/UniFi-Protect-1-14-11/928e6fac-afeb-49c2-93a5-Release NotesVendor Advisory
https://community.ui.com/releases/UniFi-Protect-NVR-Firmware-1-3-15/c2a783a6-c99PatchVendor Advisory
https://community.ui.com/releases/UniFi-Dream-Machine-Firmware-1-8-0/deabc255-a0PatchVendor Advisory
https://community.ui.com/releases/UniFi-Protect-1-14-11/928e6fac-afeb-49c2-93a5-Release NotesVendor Advisory
https://community.ui.com/releases/UniFi-Protect-NVR-Firmware-1-3-15/c2a783a6-c99PatchVendor Advisory

FAQ

What is CVE-2020-8267?

CVE-2020-8267 is a vulnerability with a CVSS score of 5.3 (MEDIUM). A security issue was found in UniFi Protect controller v1.14.10 and earlier.The authentication in the UniFi Protect controller API was using “x-token” improperly, allowing attackers to use the API to ...

How severe is CVE-2020-8267?

CVE-2020-8267 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2020-8267?

Check the references section above for vendor advisories and patch information. Affected products include: Ui Unifi Protect Firmware.