CVE-2024-8160

Erik de Jong, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API ftptest.cgi did not have a sufficient input validation allowing for a possible command injection leading to being able to transfer files from/to the Axis device. This flaw can only be exploited after authenticating with an administrator-privileged service account. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.

CVSS v3 3.8 LOW

3.8^/10

CVSS v3 : LOW

Vector :

Exploitability : 1.2 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://www.axis.com/dam/public/permalink/231071/cve-2024-8160pdf-en-US_InternalID-231071.pdf	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:axis:axis_os:::::active:::*
	cpe:2.3:o:axis:axis_os_2022:::::lts:::*
	cpe:2.3:o:axis:axis_os_2024:::::lts:::*

History

No history.

Information

Published : 2024-11-26 08:15

Updated : 2026-01-22 16:41

NVD link : CVE-2024-8160

Mitre link : CVE-2024-8160

CVE.ORG link : CVE-2024-8160

JSON object : View

Products Affected

axis

axis_os_2024
axis_os
axis_os_2022

CWE

CWE-1286

Improper Validation of Syntactic Correctness of Input

{"id": "CVE-2024-8160", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "product-security@axis.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.8, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}, "impactScore": 2.5, "exploitabilityScore": 1.2}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 1.2}]}, "published": "2024-11-26T08:15:07.893", "references": [{"url": "https://www.axis.com/dam/public/permalink/231071/cve-2024-8160pdf-en-US_InternalID-231071.pdf", "tags": ["Vendor Advisory"], "source": "product-security@axis.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "product-security@axis.com", "description": [{"lang": "en", "value": "CWE-1286"}]}], "descriptions": [{"lang": "en", "value": "Erik de Jong, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API ftptest.cgi did not have a sufficient input validation allowing for a possible command injection leading to being able to transfer files from/to the Axis device. This flaw can only be exploited after authenticating with an administrator-privileged service account. \nAxis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution."}, {"lang": "es", "value": "Erik de Jong, miembro del programa Bug Bounty de AXIS OS, ha descubierto que la API ftptest.cgi de VAPIX no ten\u00eda una validaci\u00f3n de entrada suficiente que permitiera una posible inyecci\u00f3n de comandos que permitiera transferir archivos desde/hacia el dispositivo Axis. Esta falla solo se puede explotar despu\u00e9s de autenticarse con una cuenta de servicio con privilegios de administrador. Axis ha publicado versiones parcheadas de AXIS OS para la falla resaltada. Consulte el aviso de seguridad de Axis para obtener m\u00e1s informaci\u00f3n y soluciones."}], "lastModified": "2026-01-22T16:41:04.697", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:axis:axis_os:*:*:*:*:active:*:*:*", "vulnerable": true, "matchCriteriaId": "FA5DFA97-A1D0-420D-8122-1C7D676DAB32", "versionEndExcluding": "12.1.21", "versionStartIncluding": "10.9.0"}, {"criteria": "cpe:2.3:o:axis:axis_os_2022:*:*:*:*:lts:*:*:*", "vulnerable": true, "matchCriteriaId": "5E79A1E2-7696-47A5-A334-4AA76BB5F7F5", "versionEndExcluding": "10.12.257"}, {"criteria": "cpe:2.3:o:axis:axis_os_2024:*:*:*:*:lts:*:*:*", "vulnerable": true, "matchCriteriaId": "C59E237E-58EE-4ACA-B8D5-B89C7F17D9C6", "versionEndExcluding": "11.11.116"}], "operator": "OR"}]}], "sourceIdentifier": "product-security@axis.com"}