CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Axis : Security Vulnerabilities

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2021-31989 312 2021-08-25 2021-09-01
3.5
None Remote Medium ??? Partial None None
A user with permission to log on to the machine hosting the AXIS Device Manager client could under certain conditions extract a memory dump from the built-in Windows Task Manager application. The memory dump may potentially contain credentials of connected Axis devices.
2 CVE-2021-31988 20 2021-10-05 2021-10-14
6.8
None Remote Medium Not required Partial Partial Partial
A user controlled parameter related to SMTP test functionality is not correctly validated making it possible to add the Carriage Return and Line Feed (CRLF) control characters and include arbitrary SMTP headers in the generated test email.
3 CVE-2021-31987 20 Bypass 2021-10-05 2021-10-14
5.1
None Remote High Not required Partial Partial Partial
A user controlled parameter related to SMTP test functionality is not correctly validated making it possible to bypass blocked network recipients.
4 CVE-2021-31986 787 Overflow 2021-10-05 2021-10-13
4.0
None Remote High Not required Partial None Partial
User controlled parameters related to SMTP notifications are not correctly validated. This can lead to a buffer overflow resulting in crashes and data leakage.
5 CVE-2015-8258 74 2017-04-10 2017-04-13
7.8
None Remote Low Not required None Complete None
AXIS Communications products with firmware through 5.80.x allow remote attackers to modify arbitrary files as root via vectors involving Open Script Editor, aka a "resource injection vulnerability."
6 CVE-2015-8255 352 CSRF 2017-04-10 2017-04-13
6.8
None Remote Medium Not required Partial Partial Partial
AXIS Communications products allow CSRF, as demonstrated by admin/pwdgrp.cgi, vaconfig.cgi, and admin/local_del.cgi.
7 CVE-2013-3543 264 2013-10-04 2013-10-07
8.8
None Remote Medium Not required None Complete Complete
The AXIS Media Control (AMC) ActiveX control (AxisMediaControlEmb.dll) 6.2.10.11 for AXIS network cameras allows remote attackers to create or overwrite arbitrary files via a file path to the (1) StartRecord, (2) SaveCurrentImage, or (3) StartRecordMedia methods.
8 CVE-2008-5260 119 Exec Code Overflow 2009-01-26 2018-10-11
9.3
None Remote Medium Not required Complete Complete Complete
Heap-based buffer overflow in the CamImage.CamImage.1 ActiveX control in AxisCamControl.ocx in AXIS Camera Control 2.40.0.0 allows remote attackers to execute arbitrary code via a long image_pan_tilt property value.
9 CVE-2007-5214 79 XSS CSRF 2007-10-04 2018-10-15
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in the AXIS 2100 Network Camera 2.02 with firmware 2.43 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the PATH_INFO to the default URI associated with a directory, as demonstrated by (a) the root directory and (b) the view/ directory; (2) parameters associated with saved settings, as demonstrated by (c) the conf_Network_HostName parameter on the Network page and (d) the conf_Layout_OwnTitle parameter to ServerManager.srv; and (3) the query string to ServerManager.srv, which is displayed on the logs page. NOTE: an attacker can leverage a CSRF vulnerability to modify saved settings.
10 CVE-2007-5213 352 CSRF 2007-10-04 2018-10-15
9.3
None Remote Medium Not required Complete Complete Complete
Multiple cross-site request forgery (CSRF) vulnerabilities in the AXIS 2100 Network Camera 2.02 with firmware 2.43 and earlier allow remote attackers to perform actions as administrators, as demonstrated by (1) an SMTP server change through the conf_SMTP_MailServer1 parameter to ServerManager.srv and (2) a hostname change through the conf_Network_HostName parameter on the Network page.
11 CVE-2007-5212 79 XSS CSRF 2007-10-04 2018-10-15
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in the AXIS 2100 Network Camera 2.02 with firmware before 2.43 allow remote attackers to inject arbitrary web script or HTML via (1) parameters associated with saved settings, as demonstrated by the conf_SMTP_MailServer1 parameter to ServerManager.srv; or (2) the subpage parameter to wizard/first/wizard_main_first.shtml. NOTE: an attacker can leverage a CSRF vulnerability to modify saved settings.
12 CVE-2007-4930 352 CSRF 2007-09-18 2018-10-15
4.3
None Remote Medium Not required None Partial None
Multiple cross-site request forgery (CSRF) vulnerabilities in the AXIS 207W camera allow remote attackers to perform certain actions as administrators via (1) axis-cgi/admin/restart.cgi, (2) the user and sgrp parameters to axis-cgi/admin/pwdgrp.cgi in an add action, or (3) the server parameter to admin/restartMessage.shtml.
13 CVE-2007-4929 79 XSS 2007-09-18 2018-10-15
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in the AXIS 207W camera allow remote attackers to inject arbitrary web script or HTML via the camNo parameter to incl/image_incl.shtml, and other unspecified vectors.
14 CVE-2007-4928 310 +Info 2007-09-18 2018-10-15
4.9
None Local Low Not required Complete None None
The AXIS 207W camera stores a WEP or WPA key in cleartext in the configuration file, which might allow local users to obtain sensitive information.
15 CVE-2007-4927 20 DoS 2007-09-18 2018-10-15
3.5
None Remote Medium ??? None None Partial
axis-cgi/buffer/command.cgi on the AXIS 207W camera allows remote authenticated users to cause a denial of service (reboot) via many requests with unique buffer names in the buffername parameter in a start action.
16 CVE-2007-4926 310 +Info 2007-09-18 2018-10-15
9.3
None Remote Medium Not required Complete Complete Complete
The AXIS 207W camera uses a base64-encoded cleartext username and password for authentication, which allows remote attackers to obtain sensitive information by sniffing the wireless network or by leveraging unspecified other vectors.
17 CVE-2007-2239 DoS Exec Code Overflow 2007-05-07 2017-07-29
9.3
None Remote Medium Not required Complete Complete Complete
Stack-based buffer overflow in the SaveBMP method in the AXIS Camera Control (aka CamImage) ActiveX control before 2.40.0.0 in AxisCamControl.ocx in AXIS 2100, 2110, 2120, 2130 PTZ, 2420, 2420-IR, 2400, 2400+, 2401, 2401+, 2411, and Panorama PTZ allows remote attackers to cause a denial of service (Internet Explorer crash) or execute arbitrary code via a long argument.
18 CVE-2004-2427 DoS +Info 2004-12-31 2008-09-05
10.0
None Remote Low Not required Complete Complete Complete
Axis Network Camera 2.40 and earlier, and Video Server 3.12 and earlier, allows remote attackers to obtain sensitive information via direct requests to (1) admin/getparam.cgi, (2) admin/systemlog.cgi, (3) admin/serverreport.cgi, and (4) admin/paramlist.cgi, modify system information via (5) setparam.cgi and (6) factorydefault.cgi, or (7) cause a denial of service (reboot) via restart.cgi.
19 CVE-2004-2426 Dir. Trav. Bypass 2004-12-31 2017-07-11
5.0
None Remote Low Not required None Partial None
Directory traversal vulnerability in Axis Network Camera 2.40 and earlier, and Video Server 3.12 and earlier, allows remote attackers to bypass authentication via a .. (dot dot) in an HTTP POST request to ServerManager.srv, then use these privileges to conduct other activities, such as modifying files using editcgi.cgi.
20 CVE-2004-2425 Exec Code 2004-12-31 2017-07-11
7.5
None Remote Low Not required Partial Partial Partial
Axis Network Camera 2.40 and earlier, and Video Server 3.12 and earlier, allows remote attackers to execute arbitrary commands via accent (`) and possibly other shell metacharacters in the query string to virtualinput.cgi.
21 CVE-2004-0789 DoS 2004-12-31 2017-07-11
5.0
None Remote Low Not required None None Partial
Multiple implementations of the DNS protocol, including (1) Poslib 1.0.2-1 and earlier as used by Posadis, (2) Axis Network products before firmware 3.13, and (3) Men & Mice Suite 2.2x before 2.2.3 and 3.5.x before 3.5.2, allow remote attackers to cause a denial of service (CPU and network bandwidth consumption) by triggering a communications loop via (a) DNS query packets with localhost as a spoofed source address, or (b) a response packet that triggers a response packet.
22 CVE-2003-1386 264 +Info 2003-12-31 2017-07-29
6.4
None Remote Low Not required Partial None Partial
AXIS 2400 Video Server 2.00 through 2.33 allows remote attackers to obtain sensitive information via an HTTP request to /support/messages, which displays the server's /var/log/messages file.
23 CVE-2003-0240 Bypass 2003-06-09 2017-07-11
10.0
None Remote Low Not required Complete Complete Complete
The web-based administration capability for various Axis Network Camera products allows remote attackers to bypass access restrictions and modify configuration via an HTTP request to the admin/admin.shtml containing a leading // (double slash).
24 CVE-2001-1543 2001-12-31 2008-09-05
7.5
None Remote Low Not required Partial Partial Partial
Axis network camera 2120, 2110, 2100, 200+ and 200 contains a default administration password "pass", which allows remote attackers to gain access to the camera.
25 CVE-2000-0191 2000-02-29 2008-09-10
10.0
None Remote Low Not required Complete Complete Complete
Axis StorPoint CD allows remote attackers to access administrator URLs without authentication via a .. (dot dot) attack.
26 CVE-2000-0144 Bypass 2000-02-07 2008-09-10
7.5
None Remote Low Not required Partial Partial Partial
Axis 700 Network Scanner does not properly restrict access to administrator URLs, which allows users to bypass the password protection via a .. (dot dot) attack.
Total number of vulnerabilities : 26   Page : 1 (This Page)
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.