CVE-2023-5800

MEDIUM

Axis OS < 11.8.61 - Code Injection

Title source: rule

Description

Vintage, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API create_overlay.cgi did not have a sufficient input validation allowing for a possible remote code execution. This flaw can only be exploited after authenticating with an operator- or administrator-privileged service account. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.

References (1)

[Vendor Advisory] https://www.axis.com/dam/public/89/d9/99/cve-2023-5800-en-US-424339.pdf

Scores

CVSS v3 5.4

EPSS 0.0017

EPSS Percentile 38.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-35 CWE-94

Status published

Products (3)

axis/axis_os < 11.8.61

axis/axis_os_2020 < 9.80.55

axis/axis_os_2022 < 10.12.220

Published Feb 05, 2024

Tracked Since Feb 18, 2026