CVE-2024-6509

Summary

Marinus Pfund, member of the AXIS OS Bug Bounty Program, has found the VAPIX API alwaysmulti.cgi was vulnerable for file globbing which could lead to resource exhaustion of the Axis device. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.

Affected Software

VendorProductVersion RangeStatus
Axis Communications ABAXIS OS6.50.0 < 6.50.5.19affected
Axis Communications ABAXIS OS7.0.0 < 8.40.59affected
Axis Communications ABAXIS OS9.0.0 < 9.80.78affected
Axis Communications ABAXIS OS10.0.0 < 10.12.249affected
Axis Communications ABAXIS OS11.0.0 < 11.11.93affected

Weaknesses

  • CWE-155: CWE-155: Improper Neutralization of Wildcards or Matching Symbols

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References