python · motioneyeHeads-up
motionEye Missing Authentication in ActionHandler.post()
The ActionHandler.post() method in motionEye lacks an authentication decorator, allowing unauthenticated attackers to trigger camera actions such as snapshots,
What changed
The ActionHandler.post() method in motionEye lacks an authentication decorator, allowing unauthenticated attackers to trigger camera actions such as snapshots, recording start/stop, and configured action scripts.
Who it affects
All deployments of motionEye with at least one camera configured, especially those with action scripts (PTZ, alarms, etc.) or remote cameras.
What to do today
Apply the recommended fix by adding @BaseHandler.auth() decorator to ActionHandler.post() in motioneye/handlers/action.py, or update to a patched version when available.
The trail
Collected→
Audited→
Written→
Published