CVE-2024-47259

Girishunawane, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API dynamicoverlay.cgi did not have a sufficient input validation allowing for a possible command injection leading to being able to transfer files to the Axis device with the purpose to exhaust system resources. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.

CVSS v3 3.5 LOW

3.5^/10

CVSS v3 : LOW

Vector :

Exploitability : 1.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://www.axis.com/dam/public/13/cd/4a/cve-2024-47259pdf-en-US-466882.pdf	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:axis:axis_os:::::active:::*
	cpe:2.3:o:axis:axis_os_2024:::::lts:::*

History

22 Jan 2026, 16:35

Type	Values Removed	Values Added
CPE		cpe:2.3:o:axis:axis_os:::::active:::* cpe:2.3:o:axis:axis_os_2024:::::lts:::*
First Time		Axis axis Os Axis axis Os 2024 Axis
Summary		(es) Girishunawane, miembro del programa Bug Bounty de AXIS OS, ha descubierto que la API VAPIX dynamicoverlay.cgi no tenía una validación de entrada suficiente que permitiera una posible inyección de comandos que permitiera transferir archivos al dispositivo Axis con el fin de agotar los recursos del sistema. Axis ha publicado versiones parcheadas de AXIS OS para la falla resaltada. Consulte el aviso de seguridad de Axis para obtener más información y soluciones.
References	~~() https://www.axis.com/dam/public/13/cd/4a/cve-2024-47259pdf-en-US-466882.pdf -~~	() https://www.axis.com/dam/public/13/cd/4a/cve-2024-47259pdf-en-US-466882.pdf - Vendor Advisory

04 Mar 2025, 06:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-03-04 06:15

Updated : 2026-01-22 16:35

NVD link : CVE-2024-47259

Mitre link : CVE-2024-47259

CVE.ORG link : CVE-2024-47259

JSON object : View

Products Affected

axis

axis_os_2024
axis_os

CWE

CWE-434

Unrestricted Upload of File with Dangerous Type

{"id": "CVE-2024-47259", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "product-security@axis.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 3.5, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 1.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 4.2, "exploitabilityScore": 2.8}]}, "published": "2025-03-04T06:15:29.190", "references": [{"url": "https://www.axis.com/dam/public/13/cd/4a/cve-2024-47259pdf-en-US-466882.pdf", "tags": ["Vendor Advisory"], "source": "product-security@axis.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "product-security@axis.com", "description": [{"lang": "en", "value": "CWE-434"}]}], "descriptions": [{"lang": "en", "value": "Girishunawane, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API dynamicoverlay.cgi did not have a sufficient input validation allowing for a possible command injection leading to being able to transfer files to the Axis device with the purpose to exhaust system resources. \nAxis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution."}, {"lang": "es", "value": "Girishunawane, miembro del programa Bug Bounty de AXIS OS, ha descubierto que la API VAPIX dynamicoverlay.cgi no ten\u00eda una validaci\u00f3n de entrada suficiente que permitiera una posible inyecci\u00f3n de comandos que permitiera transferir archivos al dispositivo Axis con el fin de agotar los recursos del sistema. Axis ha publicado versiones parcheadas de AXIS OS para la falla resaltada. Consulte el aviso de seguridad de Axis para obtener m\u00e1s informaci\u00f3n y soluciones."}], "lastModified": "2026-01-22T16:35:55.260", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:axis:axis_os:*:*:*:*:active:*:*:*", "vulnerable": true, "matchCriteriaId": "4CE29EC9-EB6F-44EF-ACBB-A484B7D8E7E6", "versionEndExcluding": "12.2.52", "versionStartIncluding": "11.11.0"}, {"criteria": "cpe:2.3:o:axis:axis_os_2024:*:*:*:*:lts:*:*:*", "vulnerable": true, "matchCriteriaId": "0C7FA186-A914-4B8A-B9EE-7CCB60AA799F", "versionEndExcluding": "11.11.126"}], "operator": "OR"}]}], "sourceIdentifier": "product-security@axis.com"}