Alta Video —1696: Vulnerability found in the Firebase JavaScript SDK menu

Release Date

4th of December 2024.

Overview

A vulnerability in the Firebase JavaScript SDK has been found to affect the Alta Video Cloud Web UI (CVE-2024-11023). The library utilizes a "FIREBASE_DEFAULTS" cookie to store configuration data, including an "_authTokenSyncURL" field used for session synchronization. If this cookie field is preset via an attacker by any other method, the attacker can manipulate the "_authTokenSyncURL" to point to their own server and it would allow am actor to capture user session data transmitted by the SDK.

Affected Products

• Alta Video Cloud: before 4th December 2024.

Unaffected Products

• Alta Video: all versions.
• Avigilon Cloud-Native Cameras: all versions.
• Alta Video Cloud: from 4th December 2024.

Resolution

A fix was deployed to the Alta Video Cloud on 4th December 2024. Alta Video Cloud customers do not need to take any additional action.

Vulnerability Information

• CVSSv3 score: 5.3 (Medium)
• CVSSv3 vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Mitigations

There are no known mitigations for this issue.

Work arounds

There are no known work arounds for this issue.

Acknowledgements

Issue found internally by Avigilon Alta.

Disclosure Timeline

• 18/11/2024 Issue disclosed by the vendor
• 28/11/2024 Fix identified
• 04/12/2024 Patched Alta Video Cloud
• 04/12/2024 Vulnerability publicly disclosed