Vulnerability Details CVE-2020-8145
The UniFi Video Server (Windows) web interface configuration restore functionality at the “backup” and “wizard” endpoints does not implement sufficient privilege checks. Low privileged users, belonging to the PUBLIC_GROUP or CUSTOM_GROUP groups, can access these endpoints and overwrite the current application configuration. This can be abused for various purposes, including adding new administrative users. Affected Products: UniFi Video Controller v3.9.3 (for Windows 7/8/10 x64) and prior. Fixed in UniFi Video Controller v3.9.6 and newer.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 45.9%
CVSS Severity
CVSS v3 Score 6.5
CVSS v2 Score 4.0
References
Products affected by CVE-2020-8145
-
cpe:2.3:a:ui:unifi_video:2.1.3
-
cpe:2.3:a:ui:unifi_video:3.0.1
-
cpe:2.3:a:ui:unifi_video:3.1.5
-
cpe:2.3:a:ui:unifi_video:3.7.0
-
cpe:2.3:a:ui:unifi_video:3.7.1
-
cpe:2.3:a:ui:unifi_video:3.7.2
-
cpe:2.3:a:ui:unifi_video:3.7.3
-
cpe:2.3:a:ui:unifi_video:3.8.0
-
cpe:2.3:a:ui:unifi_video:3.9.0
-
cpe:2.3:a:ui:unifi_video:3.9.2
-
cpe:2.3:a:ui:unifi_video:3.9.3
-
cpe:2.3:o:microsoft:windows:-