CVSS: 5.1EPSS: 0%CPEs: 17EXPL: 1CVE-2025-5127 – FLIR AX8 prod.php cross site scripting
https://notcve.org/view.php?id=CVE-2025-5127
24 May 2025 — A vulnerability, which was classified as problematic, has been found in FLIR AX8 up to 1.46.16. This issue affects some unknown processing of the file /prod.php. The manipulation of the argument cmd leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. • https://github.com/YZS17/CVE/blob/main/XSS%20vulnerability%20in%20FLIR%20AX8.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.0EPSS: 0%CPEs: 17EXPL: 1CVE-2025-5126 – FLIR AX8 settingsregional.php setDataTime command injection
https://notcve.org/view.php?id=CVE-2025-5126
24 May 2025 — A vulnerability classified as critical was found in FLIR AX8 up to 1.46.16. This vulnerability affects the function setDataTime of the file \usr\www\application\models\settingsregional.php. The manipulation of the argument year/month/day/hour/minute leads to command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. • https://github.com/YZS17/CVE/blob/main/Remote%20Command%20Injection%20in%20parameter%20%24hour.md • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 6.5EPSS: 0%CPEs: 17EXPL: 1CVE-2024-3013 – FLIR AX8 User Registration improper authorization
https://notcve.org/view.php?id=CVE-2024-3013
28 Mar 2024 — A vulnerability was found in FLIR AX8 up to 1.46.16. It has been rated as critical. This issue affects some unknown processing of the file /tools/test_login.php?action=register of the component User Registration. The manipulation leads to improper authorization. • https://h0e4a0r1t.github.io/2024/vulns/FLIR-AX8%20Fixed%20Thermal%20Cameras%20Register%20any%20user%20in%20the%20background--test_login.php.pdf • CWE-285: Improper Authorization •
CVSS: 10.0EPSS: 23%CPEs: 2EXPL: 1CVE-2023-51126
https://notcve.org/view.php?id=CVE-2023-51126
10 Jan 2024 — Command injection vulnerability in /usr/www/res.php in FLIR AX8 up to 1.46.16 allows attackers to run arbitrary commands via the value parameter. Vulnerabilidad de inyección de comandos en /usr/www/res.php en FLIR AX8 hasta 1.46.16 permite a atacantes ejecutar comandos arbitrarios a través del parámetro value. • https://github.com/risuxx/CVE-2023-51126 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 7.8EPSS: 4%CPEs: 2EXPL: 1CVE-2023-51127
https://notcve.org/view.php?id=CVE-2023-51127
10 Jan 2024 — FLIR AX8 thermal sensor cameras up to and including 1.46.16 are vulnerable to Directory Traversal due to improper access restriction. This vulnerability allows an unauthenticated, remote attacker to obtain arbitrary sensitive file contents by uploading a specially crafted symbolic link file. Las cámaras con sensor térmico FLIR AX8 hasta la versión 1.46.16 incluida son vulnerables a Directory Traversal debido a una restricción de acceso inadecuada. Esta vulnerabilidad permite que un atacante remoto no autent... • https://github.com/risuxx/CVE-2023-51127 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 10.0EPSS: 2%CPEs: 2EXPL: 1CVE-2023-29861
https://notcve.org/view.php?id=CVE-2023-29861
15 May 2023 — An issue found in FLIR-DVTEL version not specified allows a remote attacker to execute arbitrary code via a crafted request to the management page of the device. • https://github.com/Duke1410/CVE/blob/main/CVE-2023-29861 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 10.0EPSS: 1%CPEs: 2EXPL: 1CVE-2022-4364 – Teledyne FLIR AX8 Web Service palette.php command injection
https://notcve.org/view.php?id=CVE-2022-4364
08 Dec 2022 — A vulnerability classified as critical has been found in Teledyne FLIR AX8 up to 1.46.16. Affected is an unknown function of the file palette.php of the component Web Service Handler. The manipulation of the argument palette leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. • https://github.com/siriuswhiter/VulnHub/blob/main/Flir/02-FLIR-AX8%20palette.php%20%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E/FLIR-AX8%20palette.php%20%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E1.md • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-707: Improper Neutralization •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 2CVE-2022-37063 – FLIR AX8 1.46.16 Traversal / Access Control / Command Injection / XSS
https://notcve.org/view.php?id=CVE-2022-37063
18 Aug 2022 — All FLIR AX8 thermal sensor cameras versions up to and including 1.46.16 are vulnerable to Cross Site Scripting (XSS) due to improper input sanitization. An authenticated remote attacker can execute arbitrary JavaScript code in the web management interface. A successful exploit could allow the attacker to insert malicious JavaScript code. Todas las versiones de las cámaras de sensor térmico FLIR AX8 versiones hasta 1.46.16 incluyéndola, son vulnerables a un ataque de tipo Cross Site Scripting (XSS) debido a... • https://packetstorm.news/files/id/168116 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 2CVE-2022-37062 – FLIR AX8 1.46.16 Traversal / Access Control / Command Injection / XSS
https://notcve.org/view.php?id=CVE-2022-37062
18 Aug 2022 — All FLIR AX8 thermal sensor cameras version up to and including 1.46.16 are affected by an insecure design vulnerability due to an improper directory access restriction. An unauthenticated, remote attacker can exploit this by sending a URI that contains the path of the SQLite users database and download it. A successful exploit could allow the attacker to extract usernames and hashed passwords. Todas las cámaras de sensor térmico FLIR AX8, versiones hasta 1.46.16 incluyéndola, están afectadas por una vulner... • https://packetstorm.news/files/id/168116 • CWE-306: Missing Authentication for Critical Function •
CVSS: 7.8EPSS: 5%CPEs: 2EXPL: 3CVE-2022-37060 – FLIR AX8 1.46.16 Traversal / Access Control / Command Injection / XSS
https://notcve.org/view.php?id=CVE-2022-37060
18 Aug 2022 — FLIR AX8 thermal sensor cameras version up to and including 1.46.16 is vulnerable to Directory Traversal due to an improper access restriction. An unauthenticated, remote attacker can exploit this by sending a URI that contains directory traversal characters to disclose the contents of files located outside of the server's restricted path. Las cámaras de sensor térmico FLIR AX8, versiones hasta 1.46.16 incluyéndola, son vulnerables a un Salto de Directorio debido a una restricción de acceso inapropiada. Un ... • https://packetstorm.news/files/id/168116 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •