CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 1CVE-2017-15885
https://notcve.org/view.php?id=CVE-2017-15885
Reflected XSS in the web administration portal on the Axis 2100 Network Camera 2.03 allows an attacker to execute arbitrary JavaScript via the conf_Layout_OwnTitle parameter to view/view.shtml. NOTE: this might overlap CVE-2007-5214. XSS reflejado en el portal de administración web en la versión 2.03 de la cámara de red Axis 2100 permite que un atacante ejecute código JavaScript arbitrario mediante el parámetro conf_Layout_OwnTitle en view/view.shtml. NOTA: esta vulnerabilidad puede solaparse con CVE-2007-5214 • https://distributedcompute.com/2017/10/24/axis-2100-network-camera-2-03-xss-vulnerability • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 1CVE-2017-12413 – Axis 2100 Network Camera 2.43 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2017-12413
AXIS 2100 devices 2.43 have XSS via the URI, possibly related to admin/admin.shtml. Los dispositivos AXIS 2100 en su versión 2.43 tienen una vulnerabilidad de tipo Cross-Site Scripting (XSS) a través de la URI, probablemente relacionada con admin/admin.shtml. Axis 2100 Network Camera version 2.43 suffers from a cross site scripting vulnerability. • https://packetstormsecurity.com/files/143657/Axis-2100-Network-Camera-2.43-Cross-Site-Scripting.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.3EPSS: 1%CPEs: 2EXPL: 1CVE-2007-5213
https://notcve.org/view.php?id=CVE-2007-5213
Multiple cross-site request forgery (CSRF) vulnerabilities in the AXIS 2100 Network Camera 2.02 with firmware 2.43 and earlier allow remote attackers to perform actions as administrators, as demonstrated by (1) an SMTP server change through the conf_SMTP_MailServer1 parameter to ServerManager.srv and (2) a hostname change through the conf_Network_HostName parameter on the Network page. Múltiples vulnerabilidades de falsificación de petición en sitios cruzados (CSRF) en AXIS 2100 Network Camera 2.02 con firmware 2.43 y anteriores permite a atacantes remotos llevar a cabo acciones como administrador, como ha sido demostrado por (1) un cambio del servidor SMTP a través del parámetro conf_SMTP_MailServer1 a ServerManager.srv y (2) un cambio del nombre de máquina a través del parámetro conf_Network_HostName en la página Network. • http://osvdb.org/39490 http://osvdb.org/39491 http://securityreason.com/securityalert/3188 http://www.procheckup.com/Vulnerability_Axis_2100_research.pdf http://www.securityfocus.com/archive/1/480995/100/0/threaded http://www.securityfocus.com/bid/25837 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.3EPSS: 2%CPEs: 1EXPL: 1CVE-2007-5214
https://notcve.org/view.php?id=CVE-2007-5214
Multiple cross-site scripting (XSS) vulnerabilities in the AXIS 2100 Network Camera 2.02 with firmware 2.43 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the PATH_INFO to the default URI associated with a directory, as demonstrated by (a) the root directory and (b) the view/ directory; (2) parameters associated with saved settings, as demonstrated by (c) the conf_Network_HostName parameter on the Network page and (d) the conf_Layout_OwnTitle parameter to ServerManager.srv; and (3) the query string to ServerManager.srv, which is displayed on the logs page. NOTE: an attacker can leverage a CSRF vulnerability to modify saved settings. Múltiples vulnerabilidades de secuencias de comandos en sitios cruzados (XSS) en AXIS 2100 Network Camera 2.02 con firmware 2.43 y anteriores permiten a atacantes remotos inyectar secuencias de comandos web o HTML de su elección mediante (1) el PATH_INFO al URI por defecto asociado con un directorio, como ha sido demostrado por (a) el directorio raíz y (b) el directorio view/; (2) parámetros asociados con configuraciones guardadas, como ha sido demostrado por (c) el parámetro conf_Network_HostName en la página Network y (d) el parámetro conf_Layout_OwnTitle a ServerManager.srv; y (3) la cadena de petición a ServerManager.srv, la cual se muestra en la página de logs. NOTA: un atacantes podría aprovechar una vulnerabilidad CSRF para modificar las configuraciones guardadas. • http://osvdb.org/39492 http://osvdb.org/39493 http://osvdb.org/39494 http://osvdb.org/39495 http://securityreason.com/securityalert/3188 http://www.procheckup.com/Vulnerability_Axis_2100_research.pdf http://www.securityfocus.com/archive/1/480995/100/0/threaded http://www.securityfocus.com/bid/25837 https://exchange.xforce.ibmcloud.com/vulnerabilities/36840 https://exchange.xforce.ibmcloud.com/vulnerabilities/36841 https://exchange.xforce.ibmcloud.com/vulnerabilities/36842 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 1CVE-2007-5212
https://notcve.org/view.php?id=CVE-2007-5212
Multiple cross-site scripting (XSS) vulnerabilities in the AXIS 2100 Network Camera 2.02 with firmware before 2.43 allow remote attackers to inject arbitrary web script or HTML via (1) parameters associated with saved settings, as demonstrated by the conf_SMTP_MailServer1 parameter to ServerManager.srv; or (2) the subpage parameter to wizard/first/wizard_main_first.shtml. NOTE: an attacker can leverage a CSRF vulnerability to modify saved settings. Múltiples vulnerabilidades de secuencias de comandos en sitios cruzados (XSS) en AXIS 2100 Network Camera 2.02 con firmware anterior a 2.43 permite a atacantes remotos inyectar secuencias de comandos web o HTML de su elección mediante (1) parámetros asociados configuraciones guardadas, como ha sido demostrado por el parámetro conf_SMTP_MailServer1 a ServerManager.srv; o (2) el parámetro subpage a wizard/first/wizard_main_first.shtml. NOTA: un atacante podría aprovechar una vulnerabilidad CSRF para modificar configuraciones guardadas. • http://osvdb.org/38795 http://osvdb.org/38796 http://securityreason.com/securityalert/3188 http://www.procheckup.com/Vulnerability_Axis_2100_research.pdf http://www.securityfocus.com/archive/1/480995/100/0/threaded http://www.securityfocus.com/bid/25837 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •