7.2
CVE-2025-60787
- EPSS 65.96%
- Veröffentlicht 03.10.2025 00:00:00
- Zuletzt bearbeitet 10.10.2025 16:22:30
- Quelle cve@mitre.org
- CVE-Watchlists
- Unerledigt
LoginMotionEye v0.43.1b4 and before is vulnerable to OS Command Injection in configuration parameters such as image_file_name. Unsanitized user input is written to Motion configuration files, allowing remote authenticated attackers with admin access to achieve code execution when Motion is restarted.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Motioneye Project ≫ Motioneye Version0.42.1
Motioneye Project ≫ Motioneye Version0.43.1 Updatebeta1
Motioneye Project ≫ Motioneye Version0.43.1 Updatebeta2
Motioneye Project ≫ Motioneye Version0.43.1 Updatebeta3
Motioneye Project ≫ Motioneye Version0.43.1 Updatebeta4
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 65.96% | 0.985 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 7.2 | 1.2 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
|
CWE-116 Improper Encoding or Escaping of Output
The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
CWE-20 Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.