In UniFi Video 3.10.0 and prior, due to the lack of CSRF protection, it is possible to abuse the Web API to make changes on the server configuration without the user consent, requiring the attacker to lure an authenticated user to access on attacker controlled page.
References
Link | Resource |
---|---|
https://community.ubnt.com/t5/UniFi-Video-Blog/UniFi-Video-3-10-1-Soft-Release/ba-p/2658279 | Vendor Advisory |
https://hackerone.com/reports/329749 | Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: hackerone
Published: 2019-05-06T16:53:50
Updated: 2019-05-06T16:53:50
Reserved: 2019-01-04T00:00:00
Link: CVE-2019-5430
JSON object: View
NVD Information
Status : Modified
Published: 2019-05-06T17:29:00.387
Modified: 2019-10-09T23:50:51.353
Link: CVE-2019-5430
JSON object: View
Redhat Information
No data.
CWE