CVE-2024-45170 — HIGH (8.1)

Vulnerability Description

An issue was discovered in za-internet C-MOR Video Surveillance 5.2401. Due to improper or missing access control, low privileged users can use administrative functions of the C-MOR web interface. It was found out that different functions are only available to administrative users. However, access those functions is restricted via the web application user interface and not checked on the server side. Thus, by sending corresponding HTTP requests to the web server of the C-MOR web interface, low privileged users can also use administrative functionality, for instance downloading backup files or changing configuration settings.

CVSS Score

8.1

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
C-Mor	C-Mor Video Surveillance	5.2401

Related Weaknesses (CWE)

CWE-284

References

https://www-syss-de.translate.goog/pentest-blog/mehrere-sicherheitsschwachstelleVendor Advisory
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-024.tExploitVendor Advisory
http://seclists.org/fulldisclosure/2024/Sep/12ExploitMailing ListThird Party Advisory

FAQ

What is CVE-2024-45170?

CVE-2024-45170 is a vulnerability with a CVSS score of 8.1 (HIGH). An issue was discovered in za-internet C-MOR Video Surveillance 5.2401. Due to improper or missing access control, low privileged users can use administrative functions of the C-MOR web interface. It ...

How severe is CVE-2024-45170?

CVE-2024-45170 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2024-45170?

Check the references section above for vendor advisories and patch information. Affected products include: C-Mor C-Mor Video Surveillance.