CVE-2023-5677
Severity CVSS v4.0:
Pending analysis
Type:
CWE-78
OS Command Injections
Publication date:
05/02/2024
Last modified:
15/05/2025
Description
Brandon<br />
Rothel from QED Secure Solutions and Sam Hanson of Dragos have found that the VAPIX API tcptest.cgi<br />
did not have a sufficient input validation allowing for a possible remote code<br />
execution. This flaw can only be exploited after authenticating with an<br />
operator- or administrator-privileged service account. The impact of exploiting<br />
this vulnerability is lower with operator-privileges compared to<br />
administrator-privileges service accounts. Please refer to the Axis security advisory<br />
for more information and solution.
Impact
Base Score 3.x
6.30
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:axis:m3024-lve_firmware:*:*:*:*:*:*:*:* | 5.51.7.7 (excluding) | |
| cpe:2.3:h:axis:m3024-lve:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:axis:m3025-ve_firmware:*:*:*:*:*:*:*:* | 5.51.7.7 (excluding) | |
| cpe:2.3:h:axis:m3025-ve:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:axis:m7014_firmware:*:*:*:*:*:*:*:* | 5.51.7.7 (excluding) | |
| cpe:2.3:h:axis:m7014:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:axis:m7016_firmware:*:*:*:*:*:*:*:* | 5.51.7.7 (excluding) | |
| cpe:2.3:h:axis:m7016:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:axis:p1214-e_firmware:*:*:*:*:*:*:*:* | 5.51.7.7 (excluding) | |
| cpe:2.3:h:axis:p1214-e:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:axis:p7214_firmware:*:*:*:*:*:*:*:* | 5.51.7.7 (excluding) | |
| cpe:2.3:h:axis:p7214:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:axis:p7216_firmware:*:*:*:*:*:*:*:* | 5.51.7.7 (excluding) | |
| cpe:2.3:h:axis:p7216:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:axis:q7401_firmware:*:*:*:*:*:*:*:* | 5.51.7.7 (excluding) |
To consult the complete list of CPE names with products and versions, see this page