1. Home
  2. CVE Database
  3. CVE-2024-8160
LOW · 3.8

CVE-2024-8160

Erik de Jong, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API ftptest.cgi did not have a sufficient input validation allowing for a possible command injection leading to being a...

Vulnerability Description

Erik de Jong, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API ftptest.cgi did not have a sufficient input validation allowing for a possible command injection leading to being able to transfer files from/to the Axis device. This flaw can only be exploited after authenticating with an administrator-privileged service account. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.

CVSS Score

3.8

LOW

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
NONE
Integrity
LOW
Availability
LOW

Affected Products

VendorProductVersions
AxisAxis Os>= 10.9.0, < 12.1.21
AxisAxis Os 2022< 10.12.257
AxisAxis Os 2024< 11.11.116

Related Weaknesses (CWE)

CWE-1286

References

FAQ

What is CVE-2024-8160?

CVE-2024-8160 is a vulnerability with a CVSS score of 3.8 (LOW). Erik de Jong, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API ftptest.cgi did not have a sufficient input validation allowing for a possible command injection leading to being a...

How severe is CVE-2024-8160?

CVE-2024-8160 has been rated LOW with a CVSS base score of 3.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2024-8160?

Check the references section above for vendor advisories and patch information. Affected products include: Axis Axis Os, Axis Axis Os 2022, Axis Axis Os 2024.