CVE-2019-5430
HIGHUniFi Video < 3.10.0 - Cross-Site Request Forgery via Web API
Title source: llmDescription
In UniFi Video 3.10.0 and prior, due to the lack of CSRF protection, it is possible to abuse the Web API to make changes on the server configuration without the user consent, requiring the attacker to lure an authenticated user to access on attacker controlled page.
References (2)
Core 2
Core References
Third Party Advisory x_refsource_misc
https://hackerone.com/reports/329749
Vendor Advisory x_refsource_misc
https://community.ubnt.com/t5/UniFi-Video-Blog/UniFi-Video-3-10-1-Soft-Release/ba-p/2658279
Scores
CVSS v3
8.8
EPSS
0.0071
EPSS Percentile
49.0%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Details
CWE
CWE-352
Status
published
Products (1)
ui/unifi_video
< 3.10.0
Published
May 06, 2019
Tracked Since
Feb 18, 2026