RSS   Vulnerabilities for 'P1354 firmware'   RSS

2018-04-01
 
CVE-2018-9156

CWE-434
 

 
** DISPUTED ** An issue was discovered on AXIS P1354 (IP camera) Firmware version 5.90.1.1 devices. The upload web page doesn't verify the file type, and an attacker can upload a webshell by making a fileUpload.shtml request for a custom .shtml file, which is interpreted by the Apache HTTP Server mod_include module with "<!--#exec cmd=" support. The file needs to include a specific string to meet the internal system architecture. After the webshell upload, an attacker can use the webshell to perform remote code execution such as running a system command (ls, ping, cat /etc/passwd, etc.). NOTE: the vendor reportedly indicates that this is an intended feature or functionality.

 

 >>> Vendor: AXIS 37 Products
700 network document server
Storpoint cd
2100 network camera
2110 network camera
2120 network camera
Neteye 200
Neteye 200+
2130 ptz network camera
2400 video server
2401 video server
2420 network camera
2460 network dvr
250s video server
230 mpeg2 video server
2411 video server
2420 video server
2490 serial server
2420-ir network camera
Panorama ptz camera
207w camera
207w network camera
Axis camera control
Device manager
2100 network camera firmware
M1054 network camera
M10 series network cameras firmware
Media control activex control
Axis communications firmware
Network camera firmware
P1354 firmware
M1033-w firmware
P1325-z firmware
Q1910-e firmware
Axis os
Axis os 2016
Axis os 2018
Axis os 2020


Copyright 2024, cxsecurity.com

 

Back to Top