Overview
The Avigilon Control Center (ACC) is a server software for security and surveillance systems. The ACC Server is vulnerable to a path traversal attack, allowing an attacker to access any file on the server.
Description
CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') - CVE-2015-2860 The /help/ path of a URL to an ACC Server is improperly parsed, allowing an attacker to perform a path traversal to access any file on the underlying system. |
Impact
An unauthenticated remote attacker may access any file on the underlying system running ACC Server. |
Solution
Apply an update |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 7.8 | AV:N/AC:L/Au:N/C:C/I:N/A:N |
| Temporal | 6.1 | E:POC/RL:OF/RC:C |
| Environmental | 4.6 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND |
References
Acknowledgements
Thanks to Jürgen Bilberger for reporting this vulnerability, and to Avigilon for quickly addressing this issue.
This document was written by Garret Wassermann.
Other Information
| CVE IDs: | CVE-2015-2860 |
| Date Public: | 2015-06-08 |
| Date First Published: | 2015-06-10 |
| Date Last Updated: | 2015-06-10 16:09 UTC |
| Document Revision: | 30 |