CVSS: 6.5EPSS: 0%CPEs: 26EXPL: 0CVE-2022-28172
https://notcve.org/view.php?id=CVE-2022-28172
The web module in some Hikvision Hybrid SAN/Cluster Storage products have the following security vulnerability. Due to the insufficient input validation, attacker can exploit the vulnerability to XSS attack by sending messages with malicious commands to the affected device. El módulo web de algunos productos Hikvision Hybrid SAN/Cluster Storage presenta la siguiente vulnerabilidad de seguridad. Debido a una insuficiente comprobación de entrada, un atacante puede aprovechar la vulnerabilidad para realizar un ataque de tipo XSS mediante el envío de mensajes con comandos maliciosos al dispositivo afectado • http://packetstormsecurity.com/files/170818/Hikvision-Remote-Code-Execution-XSS-SQL-Injection.html https://www.hikvision.com/en/support/cybersecurity/security-advisory/security-vulnerability-in-some-hikvision-hybrid-san-products • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 22%CPEs: 26EXPL: 3CVE-2022-28171 – Hikvision Hybrid SAN Ds-a71024 Firmware - Multiple Remote Code Execution
https://notcve.org/view.php?id=CVE-2022-28171
The web module in some Hikvision Hybrid SAN/Cluster Storage products have the following security vulnerability. Due to the insufficient input validation, attacker can exploit the vulnerability to execute restricted commands by sending messages with malicious commands to the affected device. El módulo web de algunos productos Hikvision Hybrid SAN/Cluster Storage presenta la siguiente vulnerabilidad de seguridad. Debido a una insuficiente comprobación de entrada, el atacante puede explotar la vulnerabilidad para ejecutar comandos restringidos mediante el envío de mensajes con comandos maliciosos al dispositivo afectado Hikvision Hybrid SAN Ds-a71024 firmware suffers from a remote blind SQL injection vulnerability. • https://www.exploit-db.com/exploits/51607 https://github.com/NyaMeeEain/CVE-2022-28171-POC http://packetstormsecurity.com/files/170818/Hikvision-Remote-Code-Execution-XSS-SQL-Injection.html http://packetstormsecurity.com/files/173653/Hikvision-Hybrid-SAN-Ds-a71024-SQL-Injection.html https://www.hikvision.com/en/support/cybersecurity/security-advisory/security-vulnerability-in-some-hikvision-hybrid-san-products • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •