CVE-2015-8257
Severity CVSS v4.0:
Pending analysis
Type:
CWE-77
Command Injection
Publication date:
02/05/2017
Last modified:
20/04/2025
Description
The devtools.sh script in AXIS network cameras allows remote authenticated users to execute arbitrary commands via shell metacharacters in the app parameter to (1) app_license.shtml, (2) app_license_custom.shtml, (3) app_index.shtml, or (4) app_params.shtml.
Impact
Base Score 3.x
8.80
Severity 3.x
HIGH
Base Score 2.0
9.00
Severity 2.0
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:axis:network_camera_firmware:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:axis:cannon_network_camera:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:axis:explosion-protected_camera:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:axis:fixed_box_camera:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:axis:fixed_bullet_camera:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:axis:fixed_dome_camera:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:axis:modular_camera:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:axis:onboard_camera:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:axis:panoramic_camera:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:axis:ptz_camera:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:axis:thermal_camera:-:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- http://packetstormsecurity.com/files/138083/AXIS-Authenticated-Remote-Command-Execution.html
- http://www.securityfocus.com/bid/92159
- https://www.exploit-db.com/exploits/40171/
- http://packetstormsecurity.com/files/138083/AXIS-Authenticated-Remote-Command-Execution.html
- http://www.securityfocus.com/bid/92159
- https://www.exploit-db.com/exploits/40171/