CVE-2007-5214

Severity Score

4.3

*CVSS v2

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Multiple cross-site scripting (XSS) vulnerabilities in the AXIS 2100 Network Camera 2.02 with firmware 2.43 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the PATH_INFO to the default URI associated with a directory, as demonstrated by (a) the root directory and (b) the view/ directory; (2) parameters associated with saved settings, as demonstrated by (c) the conf_Network_HostName parameter on the Network page and (d) the conf_Layout_OwnTitle parameter to ServerManager.srv; and (3) the query string to ServerManager.srv, which is displayed on the logs page. NOTE: an attacker can leverage a CSRF vulnerability to modify saved settings.

Múltiples vulnerabilidades de secuencias de comandos en sitios cruzados (XSS) en AXIS 2100 Network Camera 2.02 con firmware 2.43 y anteriores permiten a atacantes remotos inyectar secuencias de comandos web o HTML de su elección mediante (1) el PATH_INFO al URI por defecto asociado con un directorio, como ha sido demostrado por (a) el directorio raíz y (b) el directorio view/; (2) parámetros asociados con configuraciones guardadas, como ha sido demostrado por (c) el parámetro conf_Network_HostName en la página Network y (d) el parámetro conf_Layout_OwnTitle a ServerManager.srv; y (3) la cadena de petición a ServerManager.srv, la cual se muestra en la página de logs. NOTA: un atacantes podría aprovechar una vulnerabilidad CSRF para modificar las configuraciones guardadas.

*Credits: N/A

CVSS Scores

NISTv2 4.3

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2007-10-04 CVE Reserved
2007-10-04 CVE Published
2024-08-07 CVE Updated
2024-08-07 First Exploit
2024-09-14 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CAPEC

References (11)

URL	Tag	Source
http://osvdb.org/39492	Vdb Entry
http://osvdb.org/39493	Vdb Entry
http://osvdb.org/39494	Vdb Entry
http://osvdb.org/39495	Vdb Entry
http://securityreason.com/securityalert/3188	Third Party Advisory
http://www.securityfocus.com/archive/1/480995/100/0/threaded	Mailing List
http://www.securityfocus.com/bid/25837	Vdb Entry
https://exchange.xforce.ibmcloud.com/vulnerabilities/36840	Vdb Entry
https://exchange.xforce.ibmcloud.com/vulnerabilities/36841	Vdb Entry
https://exchange.xforce.ibmcloud.com/vulnerabilities/36842	Vdb Entry

URL	Date	SRC
http://www.procheckup.com/Vulnerability_Axis_2100_research.pdf	2024-08-07

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Axis Search vendor "Axis"		2100 Network Camera Search vendor "Axis" for product "2100 Network Camera"				<= 2.02 Search vendor "Axis" for product "2100 Network Camera" and version " <= 2.02"		firmware_2.43		Affected