UniFi Video Controller v3.9.3 Improper Privilege Management Vulnerability

Summary

The UniFi Video Server (Windows) web interface configuration restore functionality at the “backup” and “wizard” endpoints does not implement sufficient privilege checks. Low privileged users, belonging to the PUBLIC_GROUP or CUSTOM_GROUP groups, can access these endpoints and overwrite the current application configuration.

 

 

 

 

Credit:

The information has been provided by Vendor

The original article can be found at:https://community.ui.com/releases/Security-advisory-bulletin-006-006/3cf6264e-e0e6-4e26-a331-1d271f84673e

 


Details

This can be abused for various purposes, including adding new administrative users. Affected Products: UniFi Video Controller v3.9.3 (for Windows 7/8/10 x64) and prior. Fixed in UniFi Video Controller v3.9.6 and newer.

 

Vulnerable Systems:

UniFi Video Controller v3.9.3

 

CVE Information:

CVE-2020-8145

Disclosure Timeline:
Published Date:4/1/2020

Categories: FeaturedNews