CVE-2024-45178 is a path traversal vulnerability identified in the za-internet C-MOR Video Surveillance software version 5.2401. The root cause is improper user input validation in multiple scripts, notably download-bkf.pml and show-movies.pml, which handle backup downloads and video footage access respectively. By manipulating parameters such as 'bkf' and 'cam', an authenticated attacker can traverse the file system and download arbitrary files from the server running the C-MOR system. The files are accessed with the permissions of the Linux user 'www-data', which is typically the web server user. This vulnerability is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory). The CVSS v3.1 base score is 7.1, reflecting a high severity due to network attack vector, low attack complexity, required privileges (authenticated user), no user interaction, and high impact on confidentiality. While integrity impact is low and availability is unaffected, the ability to exfiltrate sensitive files poses a significant risk. No patches or exploits are currently publicly available, but the vulnerability is published and known since early September 2024. This flaw could be exploited to access configuration files, credentials, or other sensitive data stored on the surveillance system, potentially leading to further compromise or data leakage.

The primary impact of CVE-2024-45178 is unauthorized disclosure of sensitive information due to arbitrary file download capability. Attackers with valid credentials can access confidential files such as system configurations, backup data, or logs, which may contain passwords, network details, or personally identifiable information captured by the surveillance system. This breach of confidentiality can lead to further attacks, including lateral movement within the network or targeted espionage. Although the vulnerability does not allow direct code execution or system disruption, the exposure of sensitive files can undermine organizational security posture. Surveillance systems are often deployed in critical infrastructure, government, and enterprise environments, increasing the risk of significant operational and reputational damage. The requirement for authentication limits exploitation to insiders or compromised accounts, but the low complexity and network accessibility make it a serious threat. Organizations worldwide relying on C-MOR Video Surveillance systems should consider this vulnerability a high risk to data confidentiality.

To mitigate CVE-2024-45178, organizations should first check for official patches or updates from za-internet and apply them promptly once available. In the absence of patches, implement strict access controls to limit authenticated user privileges, ensuring only trusted personnel have access to the surveillance system. Employ network segmentation to isolate the C-MOR system from broader enterprise networks, reducing exposure. Monitor and audit user activities on the system to detect unusual file access patterns indicative of exploitation attempts. Consider deploying web application firewalls (WAFs) with custom rules to detect and block path traversal payloads targeting vulnerable parameters like 'bkf' and 'cam'. Additionally, review and harden the web server configuration to restrict file system access and disable unnecessary functionalities. Regularly back up critical data and maintain incident response plans to quickly address potential breaches. Finally, educate users about the importance of strong authentication and monitoring to prevent credential compromise.