CVSS: 5.1EPSS: 0%CPEs: 17EXPL: 1CVE-2025-5127 – FLIR AX8 prod.php cross site scripting
https://notcve.org/view.php?id=CVE-2025-5127
24 May 2025 — A vulnerability, which was classified as problematic, has been found in FLIR AX8 up to 1.46.16. This issue affects some unknown processing of the file /prod.php. The manipulation of the argument cmd leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. • https://github.com/YZS17/CVE/blob/main/XSS%20vulnerability%20in%20FLIR%20AX8.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.0EPSS: 0%CPEs: 17EXPL: 1CVE-2025-5126 – FLIR AX8 settingsregional.php setDataTime command injection
https://notcve.org/view.php?id=CVE-2025-5126
24 May 2025 — A vulnerability classified as critical was found in FLIR AX8 up to 1.46.16. This vulnerability affects the function setDataTime of the file \usr\www\application\models\settingsregional.php. The manipulation of the argument year/month/day/hour/minute leads to command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. • https://github.com/YZS17/CVE/blob/main/Remote%20Command%20Injection%20in%20parameter%20%24hour.md • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 6.5EPSS: 0%CPEs: 17EXPL: 1CVE-2024-3013 – FLIR AX8 User Registration improper authorization
https://notcve.org/view.php?id=CVE-2024-3013
28 Mar 2024 — A vulnerability was found in FLIR AX8 up to 1.46.16. It has been rated as critical. This issue affects some unknown processing of the file /tools/test_login.php?action=register of the component User Registration. The manipulation leads to improper authorization. • https://h0e4a0r1t.github.io/2024/vulns/FLIR-AX8%20Fixed%20Thermal%20Cameras%20Register%20any%20user%20in%20the%20background--test_login.php.pdf • CWE-285: Improper Authorization •
CVSS: 7.8EPSS: 4%CPEs: 2EXPL: 1CVE-2023-51127
https://notcve.org/view.php?id=CVE-2023-51127
10 Jan 2024 — FLIR AX8 thermal sensor cameras up to and including 1.46.16 are vulnerable to Directory Traversal due to improper access restriction. This vulnerability allows an unauthenticated, remote attacker to obtain arbitrary sensitive file contents by uploading a specially crafted symbolic link file. Las cámaras con sensor térmico FLIR AX8 hasta la versión 1.46.16 incluida son vulnerables a Directory Traversal debido a una restricción de acceso inadecuada. Esta vulnerabilidad permite que un atacante remoto no autent... • https://github.com/risuxx/CVE-2023-51127 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •