Vulnerability CVE-2007-5212


Published: 2007-10-04   Modified: 2012-02-12

Description:
Multiple cross-site scripting (XSS) vulnerabilities in the AXIS 2100 Network Camera 2.02 with firmware before 2.43 allow remote attackers to inject arbitrary web script or HTML via (1) parameters associated with saved settings, as demonstrated by the conf_SMTP_MailServer1 parameter to ServerManager.srv; or (2) the subpage parameter to wizard/first/wizard_main_first.shtml. NOTE: an attacker can leverage a CSRF vulnerability to modify saved settings.

See advisories in our WLB2 database:
Topic
Author
Date
Low
Owning Big Brother: How to Crack into Axis IP cameras
Procheckup
05.10.2007

Type:

CWE-79

(Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))

Vendor: AXIS
Product: 2100 network camera firmware 
Version: 2.42;
Product: 2100 network camera 
Version: 2.02;

CVSS2 => (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
4.3/10
2.9/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
None
Partial
None

 References:
http://securityreason.com/securityalert/3188
http://www.procheckup.com/Vulnerability_Axis_2100_research.pdf
http://www.securityfocus.com/archive/1/480995/100/0/threaded
http://www.securityfocus.com/bid/25837

Related CVE
CVE-2018-10664
An issue was discovered in the httpd process in multiple models of Axis IP Cameras. There is Memory Corruption.
CVE-2018-10663
An issue was discovered in multiple models of Axis IP Cameras. There is an Incorrect Size Calculation.
CVE-2018-10662
An issue was discovered in multiple models of Axis IP Cameras. There is an Exposed Insecure Interface.
CVE-2018-10661
An issue was discovered in multiple models of Axis IP Cameras. There is a bypass of access control.
CVE-2018-10660
An issue was discovered in multiple models of Axis IP Cameras. There is Shell Command Injection.
CVE-2018-10659
There was a Memory Corruption issue discovered in multiple models of Axis IP Cameras which allows remote attackers to cause a denial of service (crash) by sending a crafted command which will result in a code path that calls the UND undefined ARM ins...
CVE-2018-10658
There was a Memory Corruption issue discovered in multiple models of Axis IP Cameras which causes a denial of service (crash). The crash arises from code inside libdbus-send.so shared object or similar.
CVE-2018-9158
An issue was discovered on AXIS M1033-W (IP camera) Firmware version 5.40.5.1 devices. They don't employ a suitable mechanism to prevent a DoS attack, which leads to a response time delay. An attacker can use the hping3 tool to perform an IPv4 flood ...

Copyright 2019, cxsecurity.com

 

Back to Top