中文描述:

firmware 2.43版本及其早期版本中的AXIS 2100 Network Camera 2.02存在多个跨站脚本攻击漏洞， 远程攻击者可以借助以下参数注入任意web脚本或HTML：(1)与一个目录相连的默认URL的PATH_INFO ,例如(a)根目录和(b)view/目录；(2)与保存设置相连的参数,如(c)Network页面的conf_Network_HostName参数和(d)ServerManager.srv的conf_Layout_OwnTitle参数；和(3)ServerManager.srv的查询字符串,将在页面显示。

英文描述:

Multiple cross-site scripting (XSS) vulnerabilities in the AXIS 2100 Network Camera 2.02 with firmware 2.43 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the PATH_INFO to the default URI associated with a directory, as demonstrated by (a) the root directory and (b) the view/ directory; (2) parameters associated with saved settings, as demonstrated by (c) the conf_Network_HostName parameter on the Network page and (d) the conf_Layout_OwnTitle parameter to ServerManager.srv; and (3) the query string to ServerManager.srv, which is displayed on the logs page. NOTE: an attacker can leverage a CSRF vulnerability to modify saved settings.

CWE类型:

标签:

中文解决方案:

英文解决方案:

临时解决方案: