QwikSec

Security Database

CVE

CWE

Training

CVE Database
/

CVE-2020-8144

Back to search

CVE-2020-8144

Published: Apr 1, 2020

Modified: Aug 4, 2024

PUBLISHED

Description

The UniFi Video Server v3.9.3 and prior (for Windows 7/8/10 x64) web interface Firmware Update functionality, under certain circumstances, does not validate firmware download destinations to ensure they are within the intended destination directory tree. It accepts a request with a URL to firmware update information. If the version field contains ..\ character sequences, the destination file path to save the firmware can be manipulated to be outside the intended destination directory tree. Fixed in UniFi Video Controller v3.10.3 and newer.

VendorProductVersions

n/a

UniFi Video Controller (for Windows 7/8/10 x64)

affected
v3.9.3 and prior are affected
affected
Fixed in v3.10.3 and newer

Weaknesses (CWE)

CWE-22

References

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now