python · motioneyeHeads-up
motionEye v0.43.1 Path Traversal in Picture and Movie Endpoints
motionEye v0.43.1 has a path traversal vulnerability in the picture and movie API endpoints due to missing '..' checks in get_media_preview() and del_media_cont
What changed
motionEye v0.43.1 has a path traversal vulnerability in the picture and movie API endpoints due to missing '..' checks in get_media_preview() and del_media_content(), while get_media_content() is safe.
Who it affects
All motionEye v0.43.1 instances with authenticated users (normal or admin).
What to do today
Apply the fix by adding '..' validation to get_media_preview() and del_media_content() in mediafiles.py, or restrict access to these endpoints until a patch is released.
The trail
Collected→
Audited→
Written→
Published