The devtools.sh script in AXIS network cameras allows remote authenticated users to execute arbitrary commands via shell metacharacters in the app parameter to (1) app_license.shtml, (2) app_license_custom.shtml, (3) app_index.shtml, or (4) app_params.shtml.
References
Link | Resource |
---|---|
https://www.exploit-db.com/exploits/40171/ | Exploit Third Party Advisory VDB Entry |
http://www.securityfocus.com/bid/92159 | Third Party Advisory VDB Entry |
http://packetstormsecurity.com/files/138083/AXIS-Authenticated-Remote-Command-Execution.html | Exploit Third Party Advisory VDB Entry |
Configurations
Configuration 1 (hide)
AND |
|
Information
Published : 2017-05-02 07:59
Updated : 2017-05-16 08:27
NVD link : CVE-2015-8257
Mitre link : CVE-2015-8257
JSON object : View
CWE
CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
Products Affected
axis
- explosion-protected_camera
- fixed_box_camera
- fixed_dome_camera
- modular_camera
- network_camera_firmware
- ptz_camera
- onboard_camera
- thermal_camera
- panoramic_camera
- fixed_bullet_camera
- cannon_network_camera