Axis M10 Series 跨站脚本漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1120690 漏洞类型 跨站脚本
发布时间 2011-12-07 更新时间 2013-02-14
CVE编号 CVE-2011-5261 CNNVD-ID CNNVD-201302-163
漏洞平台 Hardware CVSS评分 4.3
|漏洞来源
https://www.exploit-db.com/exploits/36428
https://www.securityfocus.com/bid/50968
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201302-163
|漏洞详情
AxisM10SeriesNetworkCamerasM1054firmware5.21及更早版本中的serverreport.cgi中存在跨站脚本漏洞。通过pageTitle参数传送至admin/showReport.shtml,远程攻击者可利用该漏洞注入任意网页脚本或HTML代码。
|漏洞EXP
source: http://www.securityfocus.com/bid/50968/info

Axis M10 Series Network Cameras are prone to a cross-site scripting vulnerability because they fail to sufficiently sanitize user-supplied data.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.

Axis M1054 firmware 5.21 is vulnerable; other version may also be affected. 

http://www.example.com/admin/showReport.shtml?content=serverreport.cgi&pageTitle=%3C%2Ftitle%3E%3Cscript%3Ealert(String.fromCharCode(88%2C83%2C83))%3B%3C%2Fscript%3E%3Ctitle%3E
|受影响的产品
Axis M1054 firmware 5.21 Axis M10 Series Network Camera 0
|参考资料

来源:XF
名称:axism10-showreport-xss(71687)
链接:http://xforce.iss.net/xforce/xfdb/71687
来源:BID
名称:50968
链接:http://www.securityfocus.com/bid/50968
来源:SECUNIA
名称:47037
链接:http://secunia.com/advisories/47037
来源:OSVDB
名称:77395
链接:http://osvdb.org/77395
来源:metzgersecurity.blogspot.com
链接:http://metzgersecurity.blogspot.com/2011/11/xss-vulnerability-axis-m10-series.html