Vulnerability Details : CVE-2023-5677
Brandon
Rothel from QED Secure Solutions has found that the VAPIX API tcptest.cgi
did not have a sufficient input validation allowing for a possible remote code
execution. This flaw can only be exploited after authenticating with an
operator- or administrator-privileged service account. The impact of exploiting
this vulnerability is lower with operator-privileges compared to
administrator-privileges service accounts. Axis has released patched AXIS OS
versions for the highlighted flaw. Please refer to the Axis security advisory
for more information and solution.
Vulnerability category: Execute code
Products affected by CVE-2023-5677
- cpe:2.3:o:axis:m3024-lve_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:axis:m3025-ve_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:axis:m7014_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:axis:m7016_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:axis:p1214-e_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:axis:p7214_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:axis:p7216_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:axis:q7401_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:axis:q7404_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:axis:q7424-r_mk_ii_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:axis:q7414_firmware:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-5677
0.07%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 32 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-5677
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
8.8
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST | 2024-02-13 |
6.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L |
2.8
|
3.4
|
Axis Communications AB | 2024-02-05 |
CWE ids for CVE-2023-5677
-
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.Assigned by: product-security@axis.com (Secondary)
-
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.Assigned by: nvd@nist.gov (Primary)
References for CVE-2023-5677
Jump to