Inadequate access control on By Demes Group products
INCIBE-2023-0243
Airspace CCTV Camera Control Panel, version 2.616.BY00.11
INCIBE has coordinated the publication of a vulnerability that affects the panel from which several models of By Demes Group CCTV cameras are managed, which has been discovered by Camilo Andrés Bruna of Zerolynx.
The following code has been assigned to this vulnerability:
CVE-2023-0506:
- CVSS v3.1 base score: 8.8.
- CVSS vector string: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.
- Vulnerability type:CWE-284: Improper Access Control.
The reported vulnerability has already been fixed by the By Demes Group security team. Affected users are advised to upgrade to the latest version available.
By Demes Group reminds that the affected devices are at end of life and are no longer supported, so it is recommended to upgrade to a newer model.
CVE-2023-0506: the web service of the affected devices in its 2.616.BY00.11 version, contains a privilege escalation vulnerability, detected in the Camera Control Panel, whose exploitation could allow a low-privileged attacker to gain administrator access.
