exploitDog

CVE-2019-5430

Опубликовано: 06 мая 2019

Источник: nvd

CVSS3: 8.8

CVSS2: 6.8

EPSS Низкий

Описание

In UniFi Video 3.10.0 and prior, due to the lack of CSRF protection, it is possible to abuse the Web API to make changes on the server configuration without the user consent, requiring the attacker to lure an authenticated user to access on attacker controlled page.

Ссылки

https://community.ubnt.com/t5/UniFi-Video-Blog/UniFi-Video-3-10-1-Soft-Release/ba-p/2658279
Vendor Advisory
https://hackerone.com/reports/329749
Third Party Advisory
https://community.ubnt.com/t5/UniFi-Video-Blog/UniFi-Video-3-10-1-Soft-Release/ba-p/2658279
Vendor Advisory
https://hackerone.com/reports/329749
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:ui:unifi_video:*:*:*:*:*:*:*:*

Версия до 3.10.0 (включая)

EPSS

Процентиль: 40%

0.00187

Низкий

8.8 High

CVSS3

6.8 Medium

CVSS2

Дефекты

CWE-352

CWE-352

Связанные уязвимости

GHSA-fc4h-7x45-5wrw

github

больше 3 лет назад

In UniFi Video 3.10.0 and prior, due to the lack of CSRF protection, it is possible to abuse the Web API to make changes on the server configuration without the user consent, requiring the attacker to lure an authenticated user to access on attacker controlled page.

EPSS

Процентиль: 40%

0.00187

Низкий

8.8 High

CVSS3

6.8 Medium

CVSS2

Дефекты

CWE-352

CWE-352