Sign-up

ID

VAR-202004-1805


CVE

CVE-2020-8145


TITLE

UniFi Video Vulnerability related to authority management in

Trust: 0.8

sources: JVNDB: JVNDB-2020-003638

DESCRIPTION

The UniFi Video Server (Windows) web interface configuration restore functionality at the “backup” and “wizard” endpoints does not implement sufficient privilege checks. Low privileged users, belonging to the PUBLIC_GROUP or CUSTOM_GROUP groups, can access these endpoints and overwrite the current application configuration. This can be abused for various purposes, including adding new administrative users. Affected Products: UniFi Video Controller v3.9.3 (for Windows 7/8/10 x64) and prior. Fixed in UniFi Video Controller v3.9.6 and newer. UniFi Video Exists in a privilege management vulnerability.Information may be tampered with

Trust: 1.62

sources: NVD: CVE-2020-8145 // JVNDB: JVNDB-2020-003638

AFFECTED PRODUCTS

vendor:uimodel:unifi videoscope:lteversion:3.9.3

Trust: 1.0

vendor:ubiquitimodel:unifi videoscope:eqversion:3.10.1

Trust: 0.8

sources: JVNDB: JVNDB-2020-003638 // NVD: CVE-2020-8145

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-8145
value: MEDIUM

Trust: 1.0

NVD: JVNDB-2020-003638
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-202004-058
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2020-8145
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:L/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

NVD: JVNDB-2020-003638
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:L/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

nvd@nist.gov: CVE-2020-8145
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 3.6
version: 3.1

Trust: 1.0

NVD: JVNDB-2020-003638
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: JVNDB: JVNDB-2020-003638 // CNNVD: CNNVD-202004-058 // NVD: CVE-2020-8145

PROBLEMTYPE DATA

problemtype:NVD-CWE-noinfo

Trust: 1.0

problemtype:CWE-269

Trust: 0.8

sources: JVNDB: JVNDB-2020-003638 // NVD: CVE-2020-8145

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202004-058

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202004-058

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2020-003638

PATCH
title:Security advisory bulletin 006url:https://community.ui.com/releases/Security-advisory-bulletin-006-006/3cf6264e-e0e6-4e26-a331-1d271f84673e
Trust: 0.8
title:UniFi Video Controller Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=113196
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2020-003638 // 
            
            
            
            CNNVD: CNNVD-202004-058

EXTERNAL IDS
db:NVDid:CVE-2020-8145
Trust: 2.4
db:JVNDBid:JVNDB-2020-003638
Trust: 0.8
db:CNNVDid:CNNVD-202004-058
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2020-003638 // 
            
            
            
            CNNVD: CNNVD-202004-058 // 
            
            
            
            NVD: CVE-2020-8145

REFERENCES
url:https://community.ui.com/releases/security-advisory-bulletin-006-006/3cf6264e-e0e6-4e26-a331-1d271f84673e
Trust: 1.6
url:https://nvd.nist.gov/vuln/detail/cve-2020-8145
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-8145
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2020-003638 // 
            
            
            
            CNNVD: CNNVD-202004-058 // 
            
            
            
            NVD: CVE-2020-8145

SOURCES
db:JVNDBid:JVNDB-2020-003638
db:CNNVDid:CNNVD-202004-058
db:NVDid:CVE-2020-8145

LAST UPDATE DATE
2024-11-23T22:37:24.580000+00:00

SOURCES UPDATE DATE
db:JVNDBid:JVNDB-2020-003638date:2020-04-21T00:00:00
db:CNNVDid:CNNVD-202004-058date:2020-04-08T00:00:00
db:NVDid:CVE-2020-8145date:2024-11-21T05:38:22.840

SOURCES RELEASE DATE
db:JVNDBid:JVNDB-2020-003638date:2020-04-21T00:00:00
db:CNNVDid:CNNVD-202004-058date:2020-04-01T00:00:00
db:NVDid:CVE-2020-8145date:2020-04-01T23:15:13.890