A Host Header Injection vulnerability in Avigilon ACM v7.10.0.20 allows attackers to execute arbitrary code via supplying a crafted URL.
The attacker sends a crafted HTTP request to the server containing a manipulated Host header. The application improperly processes (CWE-116) or insufficiently validates the value of this header (CWE-74), leading to inconsistency in request interpretation (CWE-444). Providing a properly constructed URL allows for arbitrary code execution on the server side.
An attacker without any privileges can execute arbitrary code on the server (RCE), leading to complete takeover of the system, including loss of confidentiality, integrity and availability — and in the context of a physical access control system, also a threat to facility security.
Patches available from the vendor should be applied according to the references. Until the fix is deployed, it is recommended to restrict network access to the ACM management interface to trusted hosts only and monitor traffic for suspicious HTTP Host headers.
Avigilon Access Control Manager (ACM) version 7.10.0.20
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HAvigilon Access Control Manager
APPAvigilon7.10.0.20