Headline
CVE-2023-0506: Inadequate Access Control Demes Group Products | INCIBE-CERT
The web service of ByDemes Group Airspace CCTV Web Service in its 2.616.BY00.11 version, contains a privilege escalation vulnerability, detected in the Camera Control Panel, whose exploitation could allow a low-privileged attacker to gain administrator access.
Affected Resources
Airspace CCTV Camera Control Panel, version 2.616.BY00.11
Description
INCIBE has coordinated the publication of a vulnerability that affects the panel from which several models of By Demes Group CCTV cameras are managed, which has been discovered by Camilo Andrés Bruna of Zerolynx.
The following code has been assigned to this vulnerability:
CVE-2023-0506:
- CVSS v3.1 base score: 8.8.
- CVSS vector string: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.
- Vulnerability type:CWE-284: Improper Access Control.
Solution
The reported vulnerability has already been fixed by the By Demes Group security team. Affected users are advised to upgrade to the latest version available.
By Demes Group reminds that the affected devices are at end of life and are no longer supported, so it is recommended to upgrade to a newer model.
Detail
CVE-2023-0506: the web service of the affected devices in its 2.616.BY00.11 version, contains a privilege escalation vulnerability, detected in the Camera Control Panel, whose exploitation could allow a low-privileged attacker to gain administrator access.