CVE-2019-5430

Published: May 6, 2019Modified: Nov 21, 2024

8.8

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

In UniFi Video 3.10.0 and prior, due to the lack of CSRF protection, it is possible to abuse the Web API to make changes on the server configuration without the user consent, requiring the attacker to lure an authenticated user to access on attacker controlled page.

Affected (1)

Products: Ui: Unifi Video

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Ui Unifi Video	Up to 3.10.0

Related CWEs

Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

References (4)

https://community.ubnt.com/t5/UniFi-Video-Blog/UniFi-Video-3-10-1-Soft-Release/ba-p/2658279

Source: support@hackerone.com

Vendor Advisory

https://hackerone.com/reports/329749

Source: support@hackerone.com

Third Party Advisory

https://community.ubnt.com/t5/UniFi-Video-Blog/UniFi-Video-3-10-1-Soft-Release/ba-p/2658279

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://hackerone.com/reports/329749

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.