3.5
CVE-2014-1902
- EPSS 0.19%
- Published 14.05.2015 00:59:02
- Last modified 12.04.2025 10:46:40
- Source cve@mitre.org
- Teams watchlist Login
- Open Login
Multiple cross-site scripting (XSS) vulnerabilities in Y-Cam camera models SD range YCB003, YCK003, and YCW003; S range YCB004, YCK004, YCW004; EyeBall YCEB03; Bullet VGA YCBL03 and YCBLB3; Bullet HD 720 YCBLHD5; Y-cam Classic Range YCB002, YCK002, and YCW003; and Y-cam Original Range YCB001, YCW001, running firmware 4.30 and earlier, allow remote authenticated users to inject arbitrary web script or HTML via the (1) SYSCONTACT parameter to form/identityApply, as triggered using en/identity.asp; (2) PASSWD parameter to form/accAdd, as triggered using en/account/accedit.asp; (3) NTPSERVER parameter to form/clockApply, as triggered using en/clock.asp; (4) SERVER parameter to form/smtpclientApply, as triggered using en/smtpclient.asp; (5) SERVER parameter to form/ftpApply, as triggered using en/ftp.asp; or (6) SERVER parameter to form/httpEventApply, as triggered using en/httpevent.asp.
Data is provided by the National Vulnerability Database (NVD)
Y-cam ≫ Ycb004 Firmware Version4.30
Y-cam ≫ Ycb002 Firmware Version4.30
Y-cam ≫ Yck002 Firmware Version4.30
Y-cam ≫ Yck003 Firmware Version4.30
Y-cam ≫ Yceb03 Firmware Version4.30
Y-cam ≫ Ycb001 Firmware Version4.30
Y-cam ≫ Ycblhd5 Firmware Version4.30
Y-cam ≫ Ycblb3 Firmware Version4.30
Y-cam ≫ Ycb003 Firmware Version4.30
Y-cam ≫ Ycw003 Firmware Version4.30
Y-cam ≫ Ycw004 Firmware Version4.30
Y-cam ≫ Ycbl03 Firmware Version4.30
Y-cam ≫ Yck004 Firmware Version4.30
Y-cam ≫ Ycw001 Firmware Version4.30
Y-cam ≫ Ycw002 Firmware Version4.30
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Type | Source | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.19% | 0.371 |
| Source | Base Score | Exploit Score | Impact Score | Vector string |
|---|---|---|---|---|
| nvd@nist.gov | 3.5 | 6.8 | 2.9 |
AV:N/AC:M/Au:S/C:N/I:P/A:N
|
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.