Directory traversal vulnerability in Axis Network Camera 2.40 and earlier, and Video Server 3.12 and earlier, allows remote attackers to bypass authentication via a .. (dot dot) in an HTTP POST request to ServerManager.srv, then use these privileges to conduct other activities, such as modifying files using editcgi.cgi.

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:N/C:N/I:P/A:N
Vendors Products
Axis
  • 2110 Network Camera
  • 230 Mpeg2 Video Server
  • 2130 Ptz Network Camera
  • 2400 Video Server
  • 2420 Video Server
  • 2420 Network Camera
  • 2490 Serial Server
  • 250s Video Server
  • 2120 Network Camera
  • 2460 Network Dvr
  • 2411 Video Server
  • 2401 Video Server
  • Storpoint Cd
  • 2100 Network Camera

Configuration 1 [-]

OR cpe:2.3:h:axis:2100_network_camera:2.12:*:*:*:*:*:*:*
cpe:2.3:h:axis:2100_network_camera:2.30:*:*:*:*:*:*:*
cpe:2.3:h:axis:2100_network_camera:2.31:*:*:*:*:*:*:*
cpe:2.3:h:axis:2100_network_camera:2.32:*:*:*:*:*:*:*
cpe:2.3:h:axis:2100_network_camera:2.33:*:*:*:*:*:*:*
cpe:2.3:h:axis:2100_network_camera:2.34:*:*:*:*:*:*:*
cpe:2.3:h:axis:2100_network_camera:2.40:*:*:*:*:*:*:*
cpe:2.3:h:axis:2100_network_camera:2.41:*:*:*:*:*:*:*
cpe:2.3:h:axis:2110_network_camera:2.12:*:*:*:*:*:*:*
cpe:2.3:h:axis:2110_network_camera:2.30:*:*:*:*:*:*:*
cpe:2.3:h:axis:2110_network_camera:2.31:*:*:*:*:*:*:*
cpe:2.3:h:axis:2110_network_camera:2.32:*:*:*:*:*:*:*
cpe:2.3:h:axis:2110_network_camera:2.34:*:*:*:*:*:*:*
cpe:2.3:h:axis:2110_network_camera:2.40:*:*:*:*:*:*:*
cpe:2.3:h:axis:2110_network_camera:2.41:*:*:*:*:*:*:*
cpe:2.3:h:axis:2120_network_camera:2.12:*:*:*:*:*:*:*
cpe:2.3:h:axis:2120_network_camera:2.30:*:*:*:*:*:*:*
cpe:2.3:h:axis:2120_network_camera:2.31:*:*:*:*:*:*:*
cpe:2.3:h:axis:2120_network_camera:2.32:*:*:*:*:*:*:*
cpe:2.3:h:axis:2120_network_camera:2.34:*:*:*:*:*:*:*
cpe:2.3:h:axis:2120_network_camera:2.40:*:*:*:*:*:*:*
cpe:2.3:h:axis:2120_network_camera:2.41:*:*:*:*:*:*:*
cpe:2.3:h:axis:2130_ptz_network_camera:2.30:*:*:*:*:*:*:*
cpe:2.3:h:axis:2130_ptz_network_camera:2.31:*:*:*:*:*:*:*
cpe:2.3:h:axis:2130_ptz_network_camera:2.32:*:*:*:*:*:*:*
cpe:2.3:h:axis:2130_ptz_network_camera:2.34:*:*:*:*:*:*:*
cpe:2.3:h:axis:2130_ptz_network_camera:2.40:*:*:*:*:*:*:*
cpe:2.3:h:axis:230_mpeg2_video_server:3.11:*:*:*:*:*:*:*
cpe:2.3:h:axis:2400_video_server:1.1:*:*:*:*:*:*:*
cpe:2.3:h:axis:2400_video_server:1.2:*:*:*:*:*:*:*
cpe:2.3:h:axis:2400_video_server:1.10:*:*:*:*:*:*:*
cpe:2.3:h:axis:2400_video_server:1.11:*:*:*:*:*:*:*
cpe:2.3:h:axis:2400_video_server:1.12:*:*:*:*:*:*:*
cpe:2.3:h:axis:2400_video_server:1.15:*:*:*:*:*:*:*
cpe:2.3:h:axis:2400_video_server:2.0:*:*:*:*:*:*:*
cpe:2.3:h:axis:2400_video_server:2.20:*:*:*:*:*:*:*
cpe:2.3:h:axis:2400_video_server:2.30:*:*:*:*:*:*:*
cpe:2.3:h:axis:2400_video_server:2.31:*:*:*:*:*:*:*
cpe:2.3:h:axis:2400_video_server:2.32:*:*:*:*:*:*:*
cpe:2.3:h:axis:2400_video_server:2.33:*:*:*:*:*:*:*
cpe:2.3:h:axis:2400_video_server:2.34:*:*:*:*:*:*:*
cpe:2.3:h:axis:2400_video_server:3.11:*:*:*:*:*:*:*
cpe:2.3:h:axis:2400_video_server:3.12:*:*:*:*:*:*:*
cpe:2.3:h:axis:2401_video_server:1.0_1:*:*:*:*:*:*:*
cpe:2.3:h:axis:2401_video_server:1.15:*:*:*:*:*:*:*
cpe:2.3:h:axis:2401_video_server:2.20:*:*:*:*:*:*:*
cpe:2.3:h:axis:2401_video_server:2.30:*:*:*:*:*:*:*
cpe:2.3:h:axis:2401_video_server:2.31:*:*:*:*:*:*:*
cpe:2.3:h:axis:2401_video_server:2.32:*:*:*:*:*:*:*
cpe:2.3:h:axis:2401_video_server:2.33:*:*:*:*:*:*:*
cpe:2.3:h:axis:2401_video_server:2.34:*:*:*:*:*:*:*
cpe:2.3:h:axis:2401_video_server:3.12:*:*:*:*:*:*:*
cpe:2.3:h:axis:2401_video_server:3.13:*:*:*:*:*:*:*
cpe:2.3:h:axis:2411_video_server:3.12:*:*:*:*:*:*:*
cpe:2.3:h:axis:2411_video_server:3.13:*:*:*:*:*:*:*
cpe:2.3:h:axis:2420_network_camera:2.12:*:*:*:*:*:*:*
cpe:2.3:h:axis:2420_network_camera:2.30:*:*:*:*:*:*:*
cpe:2.3:h:axis:2420_network_camera:2.31:*:*:*:*:*:*:*
cpe:2.3:h:axis:2420_network_camera:2.32:*:*:*:*:*:*:*
cpe:2.3:h:axis:2420_network_camera:2.33:*:*:*:*:*:*:*
cpe:2.3:h:axis:2420_network_camera:2.34:*:*:*:*:*:*:*
cpe:2.3:h:axis:2420_network_camera:2.40:*:*:*:*:*:*:*
cpe:2.3:h:axis:2420_network_camera:2.41:*:*:*:*:*:*:*
cpe:2.3:h:axis:2420_video_server:2.32:*:*:*:*:*:*:*
cpe:2.3:h:axis:2420_video_server:2.34:*:*:*:*:*:*:*
cpe:2.3:h:axis:2460_network_dvr:*:*:*:*:*:*:*:*
cpe:2.3:h:axis:2460_network_dvr:3.10:*:*:*:*:*:*:*
cpe:2.3:h:axis:2460_network_dvr:3.11:*:*:*:*:*:*:*
cpe:2.3:h:axis:2490_serial_server:*:*:*:*:*:*:*:*
cpe:2.3:h:axis:2490_serial_server:2.11.3:*:*:*:*:*:*:*
cpe:2.3:h:axis:250s_video_server:*:*:*:*:*:*:*:*
cpe:2.3:h:axis:250s_video_server:3.03:*:*:*:*:*:*:*
cpe:2.3:h:axis:250s_video_server:3.10:*:*:*:*:*:*:*
cpe:2.3:h:axis:storpoint_cd:*:*:*:*:*:*:*:*
References
Link Resource
http://archives.neohapsis.com/archives/fulldisclosure/2004-08/0948.html Exploit
http://archives.neohapsis.com/archives/fulldisclosure/2004-08/1282.html Patch Vendor Advisory
http://secunia.com/advisories/12353 Patch Vendor Advisory
http://securitytracker.com/id?1011056 Exploit Patch
http://www.osvdb.org/9122
http://www.securityfocus.com/bid/11011 Patch
https://exchange.xforce.ibmcloud.com/vulnerabilities/17079
History

No history.

cve-icon MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2005-08-18T04:00:00

Updated: 2017-07-10T14:57:01

Reserved: 2005-08-18T00:00:00

Link: CVE-2004-2426

JSON object: View

cve-icon NVD Information

Status : Modified

Published: 2004-12-31T05:00:00.000

Modified: 2017-07-11T01:31:53.170

Link: CVE-2004-2426

JSON object: View

cve-icon Redhat Information

No data.

CWE